RealTime IT News

BeyondTrust Extends Vista Security

BeyondTrust has announced version 4.0 of its flagship Privilege Manager product. The new version is designed to make managing security in Windows Vista easier.

Privilege Manager 4.0 lets enterprises eliminate local administrator rights while allowing users to run all authorized applications by transparently granting administrative privileges to only the specified applications that need them.

It also lets IT set the integrity level of an application process to create an enhanced Least Privilege security environment, and has on-demand capabilities that let authorized users elevate the privileges of applications not previously specified.

It does this by leveraging Active Directory's Group Policy, and BeyondTrust says this is the first product to have this capability.

Privilege Manager 4.0 also gets rid of what can be annoying dialog boxes that crop up when Vista's User Account Control (UAC) security is implemented.

Another new feature lets IT define rules to provide elevated privileges to applications with digital certificates signed by specified software publishers. The idea here is to make it faster and easier for administrators to create rules for software from trustworthy sources.

Further, Privilege Manager 4.0 includes a new rule to elevate software installation privileges from specified or authorized CDs or DVDs.

What It All Means

Integrity levels are assigned to every process, user and object in Vista, and an object can only interact with another of the same or a lower integrity level.

By default, Vista runs applications at a medium integrity level, and Privilege Manager lets users set the integrity level of processes.

"You could, for example, tell Vista to run Firefox at a low integrity level so any piece of malware or anything that can leverage that process won't be able to run," Scott McCarley, director of marketing at BeyondTrust, told InternetNews.com.

By providing an on-demand elevation rule, Privilege Manager eliminates the need for systems administrators to log in as local administrators onto users' desktops.

This reduces security headaches because "a lot of spyware and malware requires administrative privileges in order to install, and they can turn off certain systems or disable security products such as your firewall if they get those administrative rights," McCarley explained.

But, if local users get on-demand capabilities to elevate the privileges of previously unspecified applications does that mean they won't have to go to system administrators for help? Yes, but "that lets users run without administrative rights yet still do all the activities they need to do to complete their jobs," McCarley said.

For example, users may need to be able to self-manage tasks like installing approved ActiveX controls or defragging their hard drives.

Also, it's difficult to predict when certain types of users, such as traveling laptop users, system administrators and developers, will need elevated privileges, as, by the nature of their jobs, "they may need to install or run an application they previously didn't have to," McCarley said.

It was difficult to create a policy covering such ad hoc requirements, and, with Privilege Manager 4.0, BeyondTrust has introduced new rules to cover the unpredictable requirements of such users.

Doesn't that open up new security holes? Not at all: "You could designate one systems administrator or a group of systems administrators to be allowed to run a process with elevated privileges at their discretion, but they'd be prompted for passwords and required to provide a text justification," McCarley said.