This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
BeyondTrust Privilege Manager 3.0
REVIEWED BY BRAD CAUSEY
Price: $30 per seat
The least privilege security model is the de facto standard for reducing the risks of elevated user privileges. This can be a challenge in Windows environments. You don't want your end users to have general admin rights, but they may need them to run the applications required to do their jobs. There's no easy way to manage this, so companies wind up letting users have excessive privileges, leaving their desktops, user accounts and software vulnerable to attack.
BeyondTrust's Privilege Manager 3.0 solves this dilemma through a Group Policy extension that allows organizations to control permissions for selected processes and applications. BeyondTrust has also introduced a new technology, called ShatterProof process isolation, that prevents shatter attacks, a complex privilege escalation technique.
Privilege Manager adds GPO extensions that integrate with Internet Explorer and Microsoft's Group Policy Management Console, so admins can work directly through a customized Active Directory interface. The installation was very easy and fast, consisting of an MSI with few requirements, chiefly the .NET framework and AD's Group Policy Management Console. (These can be downloaded free from Microsoft's Web site.)
Once installed, the Privilege Manager settings are available by simply opening the Group Policy Object Edi-tor. It gives you a single interface to manage the custom add-ons as well as the default GPO settings, simplifying management and reducing administrative overhead.
Each managed computer requires client software to capture and manage permissions for processes and programs; it can be installed through standard software deployment or via Group Policy. The client reads the custom GPO settings and modifies the security token on programs as they launch, giving the user elevated privileges as defined by Privilege Manager rules.
Creating policies for application privileges is simple and intuitive. Each rule allows you to identify a target process or executable name. This can be done by a number of different methods, including MSI GUID, hash, path, folder or ActiveX rules, giving you tremendous flexibility.
For each rule, you define what action will be taken, including modifying privileges and permissions for target applications. Defined privileges dictate what components of the system will be accessible when the program or process is initiated and for the duration of its run time. These rules can be configured with filters that restrict what settings apply to what group. For example, you can disable the policy for a specified application based on a wide range of criteria, such as subnet, computer name, user, security group or organizational unit. In addition, you can modify Internet Explorer behavior and ActiveX security through a custom administrative template.
Privilege Manager provides an extremely effective framework for implementing least privilege policies. The overall concept of least privilege in an enterprise environment is plagued with difficulties. Often, developers have to get involved, code has to be changed, and massive amounts of time will be spent during implementation and dealing with unknowns. Because Privilege Manager integrates with Group Policy, it will significantly simplify the management of application privileges and permissions.
Privilege Manager will prove invaluable for implementing and managing a least privileges program. Although long-term management of each application will be complex, it helps cut the job down to size.
Testing methodology: Clients in our AD domain consisted of several Windows 2000 and Windows XP computers with various service packs. A variety of applications were tested including Web sites with ActiveX requirements, DOS-based applications, network-based applications and locally installed programs.
This was first published in October 2007