Monday, April 19, 2010

You Don’t Have the Proper Privilege Level

I was sitting through our executive business reviews last week and the guys from Scriptlogic were talking about how they’ve had more than 15,000 downloads of their free Privilege Authority product since it was released a few weeks ago. That gave me a bit of incentive to write a bit more about Privilege Authority. It is a very common security – and compliance – best practice to run users with the least privileges possible, and elevate application and ActiveX control privileges only when absolutely needed. Why do I like this solution so much? Well, beside the fact that it is free I like that it uses Microsoft Active Directory and Group Policy to distribute Privilege Authority rules to client machines. Pretty much everyone is using Active Directory. Group Policy is a feature of Windows Server that was included in the original Windows Server 2000 but I really don’t believe it is used to the extent that it could be at most companies. Sure it’s used by nearly everyone to set password policies but it is difficult sometimes to find a company that is using it more extensively. Privilege Authority leverages Group Policy for more. What could be better than a free tool that leverages included functionality in Windows Server?

Some of the common rules that come with Privilege Authority include:
  • allowing users the ability to install Adobe Flash Player
  • allowing users to change the date and time of their system
  • allowing Java Runtime 6 updater to run as an Administrator
  • allow Adobe Reader updater to run as Administrator
  • allow users to run System Properties
  • allow users to run Internet Explorer with Admin rights
There are three types of custom rules that you can create:
  1. A file rule, where the path of the executable is specified.
  2. A folder path, in which case the rule will be applied to all processes run from the path.
  3. An ActiveX rule where a URL is specified.
I also wanted to mention that there is community support for Privilege Authority at Not only can you ask questions, make product suggestions or submit bugs but you can also upload or download policy files (rules). I took a quick look and saw policy files were available to run the Blackberry Desktop Software, UPS Shipping Module and Adobe Updater as administrator.
I’m not sure why anyone would want to pay for a tool that manages local administrative privileges when you can download Privilege Authority for free. Try it out.

No comments: