Having domain users be the local administrators of their own computers is a bad but common practice. To make matters worse, if the Domain Users group is a member of the local administrator group, the users also have administrative privileges on every computer in the domain. Administrators know that this is a security risk, but on top of the daily fires that they have to extinguish, there often isn't time to remedy this situation.
If they had the time, these administrators could lock down users' computers, then deploy any software that a user requests by using a Group Policy Object (GPO) or a deployment tool. And if a user needed to run a tool or legacy software that requires Local Administrator privileges, administrators could use a tool such as Process Monitor to relax (via a GPO) the appropriate registry or NTFS security permissions. Deploying software and relaxing permissions when needed aren't difficult tasks, but they can be time-consuming. In the end, many administrators just give up and grant users local administrator access to their machines so that they can move on to the next fire.
Viewfinity Privilege Management takes the work out of discovering the permissions that each application needs to function correctly. It also gives you the option of letting users install software on their own, while you still maintain control -- all from an easy-to-manage console. Viewfinity isn't the first software company to come up with this type of solution. A few years ago, I reviewed a similar product in the article " Bit9 Parity." The products are similar, but Viewfinity adds a new twist. In addition to a locally administered tool (GPO Editor) that runs on your network, Privilege Management can also be implemented using a Software as a Service (SaaS) model. Both the GPO Editor and SaaS editions of the product have their pros and cons.
To test Privilege Management, I used a test network consisting of a Windows Server 2008 domain, a Windows XP client, and a Windows 7 client. For testing the GPO Editor edition, I added a Server 2008 member server to host the software.
For the most part, the GPO Editor and SaaS editions of Privilege Management function identically. They divide the applications that your users need to run into two groups:
- Applications that are currently installed; these applications are managed with applied policies
- Applications that your users will likely want to use in the future; these applications are managed with a feature named Policy Automation
If users need to use a particular application or tool in their day-to-day activities, you can create a policy that allows its use. For example, in a locked-down computer environment, non-administrator users can't run the Disk Defrag utility, change the power options, or change the date, time, or time zone. You can create a policy that lets them do these things. In addition, if there's a legacy program that users need but it requires Local Administrator privileges to run, you can configure a policy so that they're allowed to run this program with escalated security privileges, while keeping the users out of the Local Administrator security group.
This is a great start, for sure. But eventually you'll run into the problem I mentioned previously -- you simply don't have time to research and write a policy for every single application that users might want to use. This is where Policy Automation comes in.
Policy Automation actively monitors the applications that your users attempt to use. They're prompted by a dialog box that asks them to write a short justification for why they need access to a specific tool or application. This request is then logged in the Privilege Management tool, where you can quickly write a new policy that allows them to use the software that they've requested. The new policy can be implemented right away or at a specific date and time. You can also set a policy to expire at a certain date and time. What makes Policy Automation extremely powerful is that the Viewfinity client agent sends all the data needed to create a policy for the requested application back to the management console. You simply right-click the event (e.g., a user attempted to set the date and time), choose Create Policy, and follow a wizard's instructions.
GPO Editor Edition
If you would like to manage the back-end server yourself, Privilege Management comes in a standard executable that you install on your own server. Double-clicking VFGPOEditorSetup.exe takes care of the prerequisites, such as Microsoft .NET Framework 3.5 SP1 and Microsoft Report Viewer 2010, during the installation. The entire administrative console is built as an add-on to the Group Policy Management Console (GPMC), as Figure 1 shows.
Each computer that you want to manage needs to have a client agent installed. The agent comes in an .msi file, so installing it with a GPO, Microsoft System Center Configuration Manager (SCCM), or your favorite third-party deployment tool is a snap.
One of the advantages of the GPO Editor edition is the close integration with Group Policy and GPMC. As a result of this integration, you can easily target specific users and computers.
Another advantage over the SaaS product is that you and you alone control the product. You don't have to rely on an administrator in someone else's data center (aka the cloud) to ensure that your users are able to run the software that they require.
I found the GPO Editor edition to be responsive and easy to use. I found only one disadvantage over the SaaS edition: slower policy updates. The SaaS edition has a very tight communication window with each Windows client, whereas the GPO Editor edition updates the policies for the clients during the standard GPO update cycle. (According to TechNet, this happens "every 90 minutes, with a random offset of 0 to 30 minutes.") I could speed this up during testing by issuing the gpupdate /force command from the client, but it's otherwise much slower than the SaaS edition.
The SaaS edition is a service that you access over the Internet. The only software that is installed locally is the client agent on each computer you want to manage and a web plug-in on the computer that you'll use to manage the Privilege Management software.
Like the agent for the GPO Editor edition, the agent for the SaaS edition comes in both 32- and 64-bit versions and can be installed on clients running XP SP3 or later. The client agents can be installed in one of three ways:
- Automated discovery of assets and agent deployment -- After the agent is manually installed on one computer, this same agent software can discover and install the agent on the remaining computers in your domain. Note that you must have ports TCP ports 135, 139, and 445 opened on each local computer firewall.
- Manually install or install using a software deployment tool -- The agent also comes prepackaged in an .exe file for manual installation on each machine and an .msi file for deployment through a GPO, SCCM, or a third-party deployment tool.
- Email agent installation package link -- Users are emailed a link that they use to download the agent and install it themselves. Because administrators are constantly trying to train users to not install software from a link that they receive via email, this option seems like a last resort at best.
I installed the agent manually on each client machine (as a local administrator) and was surprised to see the object almost immediately show up in the online SaaS console. To test the software, I logged on to the client as a domain user that was not a local administrator. Just like with the GPO Editor edition, managing the applications that users request is a snap.
The management of the computers themselves is done through a web browser interface. Again, no server-side software is installed in your data center.
The SaaS edition has both pros and cons, just like the GPO Editor edition. For starters, as with all SaaS solutions, you are not in control of the data center components of the software. This was clearly evident over the weekend when I was met with this message on the Viewfinity website: Scheduled maintenance occurs every Sunday between 9:00 AM and noon GMT on the Viewfinity SaaS platform. During this time service may be interrupted. If you have specific questions, please contact Viewfinity support at [email protected]
I also noticed that the website can be slow sometimes. The web application hung a number of times for no apparent reason. If this happens when you're creating policies, it can be very frustrating. And I thought the SaaS interface wasn't as intuitive as the on-site application, as a number of separate browser windows need to be open in order to use the application.
One huge advantage that the SaaS edition has over the GPO Editor edition is the communication mechanism that it uses. Instead of having to open ports on the firewall to allow communication, all policies are transmitted via https (port 443), which is open on most firewalls. The SaaS edition was also much faster sending new policies to the clients. Instead of waiting for the next GPO refresh cycle, the new policies are sent almost immediately -- most times in under a minute. If you have a mobile sales force that still doesn't understand what the VPN is used for, the SaaS edition may be your best bet.
Windows 7 versus XP
By using the included Quick Start Guide, I was able to easily set up a policy that allowed a non-administrator to run the built-in Disk Defrag utility. When I attempted to run software or access a restricted system tool (such as changing the date and time), I found it simple to create a policy from the log of the event.
I found the experience pleasurable for the Windows 7 client, but the XP client proved to be more of a challenge. The applied policies worked fine. But the Policy Automation feature didn't recognize many of the access attempts in XP that were recognized in Windows 7. According to Alex Shoykhet, vice president of product management at Viewfinity, this will be addressed in the next version. If you currently have XP machines, I recommend that you leave them alone and implement Privilege Management at the same time you roll out Windows 7 or Windows 8. Making the change at the same time you implement a shiny new OS might also help your users more easily accept the increased security.
A Powerful Tool
Letting users operate as local administrators of their computers is bad security practice. Viewfinity takes much of the work out of determining how to relax the appropriate permissions in a locked-down computer environment. Add to this feature set the choice of using the SaaS or GPO Editor edition and you have a powerful tool in your back pocket.
Viewfinity Privilege Management