March 8th, 2007

BeyondTrust makes standard user usable in Windows

Posted by George Ou @ 4:03 am

Categories: Desktop, Infrastructure, Security, Vista

Tags:

It's a well known fact that almost all IT organizations run their client Windows (typically 2000 or XP) computers in full administrative mode, which violates the fundamental security model of least privilege. The simple reason for this is that running Windows 2000 and XP in standard user mode is too difficult to manage for most businesses, and many "security" applications, like antivirus software or system management software, force the use of administrative privileges or they simply don't work.

Administrative privileges on user computers is the most dangerous thing that can be done from a security standpoint, but it's something that the Windows world has unfortunately gotten use to, while the UNIX, Linux, and Mac OS X world forces users to elevate privileges when needed. Windows Vista is the first Windows OS to default to a non-Administrative user, along with a more graceful way of elevating privileges, but it will take quite some time before businesses start adopting Windows Vista. Even when they do upgrade to Vista, IT departments may not want their users to have to make the decision to elevate permissions using the Vista UAC interface. UAC prompts for standard users in Vista can easily be suppressed globally so that it behaves like Windows 2000 and XP, but that just means we're back to the same problem of not being able to run software that needs administrative privileges. This is where BeyondTrust comes in.

BeyondTrust is an enterprise management solution that manages Windows 2000, XP, Vista, and Server 2003 (needed in terminal server environments).  BeyondTrust Privilege Manager extends the Windows Active Directory Group Policy so that you can set granular, on-the-fly, seamless privilege escalations for specific actions, such as time change, programs, and folders. There is also a free version of Privilege Manager that runs on the local Group Policy so you can use it on an individual machine. This allows people who want to run standard user mode without permission problems to do so at no cost with the local version of Privilege Manager. The enterprise version, which costs $30 per seat (large volume discounts available), simply allows you to manage privilege escalations at the Active Directory level for the entire domain, organizational unit, or individual user. This means you'll be able to set that annoying antivirus package to run in administrator mode but not give the user the administrative rights to get him/her in trouble with persistent rootkits and malware. Note that I qualified that statement with the word "persistent" because Privilege Manager won't prevent malware from nuking user files or putting itself in the local user startup. That kind of damage can at least be cleaned up by deleting and re-creating the local user account, though your data may not be so lucky unless you had it backed up offline somewhere.

For Windows 2000 and XP, Privilege Manager seems to be a great deal for businesses because it vastly improves security and reduces malware cleanup downtime or users hosing their own system with unauthorized software. The value proposition of Privilege Manager for Windows Vista is a bit less certain, but it might even be worth looking at, since your users won't need to deal with the UAC decision process where they might make the wrong choice. Having a way of centrally white-listing what's trusted code worthy of administrator mode and what's not worthy is a valuable management tool.  Of course, Vista UAC can be tweaked in Active Directory Group Policy to only permit privilege escalation of code that's been digitally signed by a trusted source, so that may be a reasonable alternative for preventing users from making bad decisions. But it still prompts the user with UAC authorization, which makes it nontransparent.  I'd suggest giving the free version a test drive to see if it's worth it.