PRIVILEGE MANAGEMENT
BeyondTrust Privilege Manager 3.0
REVIEWED BY BRAD CAUSEY
BeyondTrust
Price: $30 per seat
The least privilege
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
security model is the de facto standard for reducing the risks of elevated user privileges. This can be a challenge in Windows environments. You don't want your end users to have general admin rights, but they may need them to run the applications required to do their jobs. There's no easy way to manage this, so companies wind up letting users have excessive privileges, leaving their desktops, user accounts and software vulnerable to attack.
BeyondTrust's Privilege Manager 3.0 solves this dilemma through a Group Policy extension that allows organizations to control permissions for selected processes and applications. BeyondTrust has also introduced a new technology, called ShatterProof process isolation, that prevents shatter attacks, a complex privilege escalation technique.
| Configuration/Management | A |
Once installed, the Privilege Manager settings are available by simply opening the Group Policy Object Edi-tor. It gives you a single interface to manage the custom add-ons as well as the default GPO settings, simplifying management and reducing administrative overhead.
Each managed computer requires client software to capture and manage permissions for processes and programs; it can be installed through standard software deployment or via Group Policy. The client reads the custom GPO settings and modifies the security token on programs as they launch, giving the user elevated privileges as defined by Privilege Manager rules.
| Policy Control | A |
For each rule, you define what action will be taken, including modifying privileges and permissions for target applications. Defined privileges dictate what components of the system will be accessible when the program or process is initiated and for the duration of its run time. These rules can be configured with filters that restrict what settings apply to what group. For example, you can disable the policy for a specified application based on a wide range of criteria, such as subnet, computer name, user, security group or organizational unit. In addition, you can modify Internet Explorer behavior and ActiveX security through a custom administrative template.
| Effectiveness | A |
| Verdict |
Testing methodology: Clients in our AD domain consisted of several Windows 2000 and Windows XP computers with various service packs. A variety of applications were tested including Web sites with ActiveX requirements, DOS-based applications, network-based applications and locally installed programs.
This was first published in October 2007