Contributor:
Mark Austin
September 16th, 2011

Privilege Guard 2.8 Anti-tamper Protection

Privilege Guard 2.8 (Edit: now Defendpoint) is the first privilege management solution to introduce an intelligent anti-tamper mechanism that can protect the Privilege Guard software and configuration settings against modification from elevated processes, while still allowing the solution to be administered by true system administrators.

The very nature of a privilege management solution means that it elevates the privileges of processes. In the majority of cases these elevated processes will not provide the user with a way to interfere with the privilege management solution itself. However, in some situations you may want to allow more technical users to elevate command prompts and system management tools, such as the Services console and Registry Editor. At this point, there is a risk that the user could use these tools to tamper with the privilege management solution.

To eliminate this risk, the new anti-tamper mechanism in Privilege Guard dynamically inserts a special protection group into the access tokens of all elevated processes. This protection group is then used to restrict access to the Privilege Guard software, configuration settings and cached policies, relying on native NTFS security to enforce it. In essence, any process that has been elevated by Privilege Guard has no more rights than a standard user if it attempts to interfere with the Privilege Guard solution.

To demonstrate the anti-tamper mechanism in action, let’s see what happens when the user is given access to an elevated command prompt. Although the command prompt below is running with full administrator rights, any attempt to stop the Privilege Guard service, change directory to the Avecto program data directory or tamper with the software binaries, results in an access denied error. Try doing this with any other privilege management solution and don’t be surprised to see a very different result!

Anti-tamper Protection - Command Prompt

Anti-tamper Protection – Command Prompt

Since the anti-tamper mechanism relies on native NTFS security to restrict access based on the special Privilege Guard protection group, it ensures that this protection extends to all elevated applications. For instance, in the screenshots below you will notice that the options to manipulate the Privilege Guard service in the Services console are disabled and any attempt to delete the Avecto registry key in the local machine hive using Registry Editor is denied. Both of these applications are running with full administrative rights, but are incapable of tampering with Privilege Guard.

Anti-tamper Protection - Services Console

Anti-tamper Protection – Services Console

Anti-tamper Protection - Registry Editor

Anti-tamper Protection – Registry Editor

Introducing Defendpoint

Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.

More from the Blog

Related technology and security insights

  • 28
    Jun
  • Story related

    NotPetya ransomware: Attack analysis

    On June 27, 2017 a number of organisations across Europe began reporting significant system outages caused by a ransomware strain referred to as Petya. The ransomware is very similar to older Petya ransomware attacks from previous years, but the infection ...