As many organizations look to migrate to Windows 7, it is an opportune time to review user privileges. User Account Control (UAC) was introduced by Microsoft in Windows Vista, and it has remained much the same in Windows 7, albeit with a few minor tweaks to its default behavior. Although UAC is a welcome addition to Windows, it really doesn’t provide a corporate solution to least privilege.
Here are 10 reasons why Privilege Guard (Edit: now Defendpoint) provides a more suitable solution for the corporate environment.
1. Policy Driven Approach
UAC is a user driven approach to windows least privilege, in that users make the decision on whether an application should run with administrative rights. Privilege Guard, on the other hand, takes a policy driven approach, where the IT department has complete control over which applications run with administrative rights. It is tightly integrated with Active Directory Group Policy, so no additional backend infrastructure is required to deploy Privilege Guard policies.
2. Standard User Account
UAC requires the user to either logon with a local administrator account or to have access to a local administrator account, which gives the user too much control, leading to deliberate or accidental misuse of these privileges. Privilege Guard enables all users to logon with standard user accounts, as elevated rights are assigned directly to the applications that require them, without the user requiring access to a local administrator account.
3. Granular Privilege Control
UAC can only assign full administrative rights to an application, whereas Privilege Guard can assign granular privileges to individual applications, including, but not limited to, full administrative rights. With Privilege Guard, custom access tokens may be defined, enabling granular control over the groups, privileges and integrity level within an access token.
4. Privilege Inheritance
Once an application is assigned administrative rights with UAC, all child processes of that application will automatically inherit those rights, and there is no way to override this behavior. In Privilege Guard, privilege inheritance may be defined on a per application basis, ensuring privileges are only inherited where it is absolutely necessary. In addition, Privilege Guard will force standard user rights on the common file dialog that many applications utilize to allow a user to open or save files. This dialog has full explorer capabilities, so it is important to revoke administrative rights from this dialog, to ensure that deliberate or inadvertent modification of files in restricted operating system and application directories is not possible.
5. On Demand Elevation
Although UAC does provide an on demand elevation facility through the “Run as administrator” shell context menu, the requirement for a user to have an administrator password makes this facility inappropriate for most corporate users, with the exception of real system administrators. Privilege Guard enables a custom shell menu item to be defined, which may be applied to all or selected applications. This on demand facility functions under a standard user account, without the need for an administrator password. In addition, the user may be prompted with a custom message and optionally be asked to provide a reason for their actions, which is audited. Users can also be forced to re-authenticate before elevating an application, providing an extra level of security and discouraging a nonchalant attitude.
6. Application Support
UAC may be invoked for executables and installer packages, either because an application is deemed to require administrative rights, or the user has launched the application via “Run as administrator”. In addition to executables and installers, Privilege Guard can also manage the privileges assigned to individual scripts, including batch files, WSH scripts and PowerShell scripts. For more advanced users, Privilege Guard can elevate management console snap-ins, without giving the user elevated rights over the entire MMC. Privilege Guard can also handle the installation of authorized ActiveX controls.
An important aspect of Privilege Guard is the ability to provide a comprehensive audit trail of each user’s actions. This audit trail may be vital to satisfy regulatory or internal compliance initiatives. Privilege Guard logs detailed application and policy information, including the end user’s reason for elevating an application, where applicable.
8. Privilege Monitoring
Privilege Guard includes a privilege monitoring capability, which may be used to discover any applications that require elevated rights to function. This capability is often used in the pilot phase of a least privilege project to identify the applications that need administrative rights to run. Once identified, applications may then be added to Privilege Guard policies, enabling these applications to function under a standard user account, without the need for user intervention. Privilege Monitoring may also be used in a live environment to provide application forensics of all privileged operations, including details of access to the file system, registry, kernel objects and interaction with system services.
9. Custom End User Messaging
The end user experience is often over-looked, and yet this can be crucial if a least privilege environment is to be accepted by the user community. Unlike UAC, which shows a fixed message, Privilege Guard provides a fully customizable messaging facility, enabling any number of custom messages to be defined. The IT department has full control over when a message should be displayed, whether a user should be forced to re-authenticate and whether they should be asked to provide a reason for their actions. All of the text in these messages may be customized, including full multi-lingual support. It is also possible to block a user from running a privileged or unauthorized application, and in this scenario the user can be provided with the ability to email a request to the help desk to run the blocked application.
10. Supported Platforms
Although many organizations are looking to make the move to Windows 7, other versions of Windows, such as XP and Vista, will continue to be prevalent for many years. Privilege Guard provides the same capabilities across all Windows platforms, making it possible to implement the same solution in mixed environments, and take the solution forward to during a Windows 7 migration.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.