Review: BeyondTrust PowerBroker Desktops, Windows Edition

The topic of users running as local administrators seems to be on everyone's mind lately. Because antivirus and antispyware solutions often offer toolittle protection too late, administrators are looking for a better way to protect users' computers. BeyondTrust's PowerBroker Desktops, Windows Edition,can help you take back control and put the users back in their place -- as local users, not administrators.

Installing and Configuring the Product

There are two basic components in PowerBroker: a Group Policy Management Console (GPMC) snap-in, which Figure 1 shows, and a client agent that's installedon each Windows 7, Windows Vista, or Windows XP client. Both come in 32- and 64-bit versions. The GPMC snap-in can be installed on Windows Server 2003 SP1and later or on XP SP2 and later.

Figure 1: PowerBroker GPMC snap-in 

I installed the GPMC snap-in on my test domain's domain controller (DC). The only prerequisite is Microsoft .NET Framework 4.0, which must be installedseparately. When you double-click the pbwdsnap32/64.msi file, a short wizard helps you install the application. It took under a minute on my DC.

I chose to install the client agent through Group Policy. By doing it this way, every time you add a new Windows 7, Vista, or XP computer to the domain andplace it in the proper organizational unit (OU), the agent will be automatically installed without any other user or administrator intervention. Licensingis controlled by an XML license file that's imported into the application through GPMC.

Installing and Configuring the Optional Reporting Solution

An optional reporting environment can be installed on a separate server. PowerBroker Desktops Auditing and Reporting requires a Microsoft SQL Server or SQLServer Express back-end database. This handy reporting tool uses the Microsoft Event Forwarding service to gather information about the applications thatare being used and any privileges that they might require. Although optional, you'll soon discover that this feature is really the heart of theapplication, as I explain later in this review.

Unlike the GPMC snap-in and client agent, the PowerBroker Desktops Auditing and Reporting software took much more time to install and configure. TheInstallation Guide does a good job of walking you through the setup tasks, but there were quite a few settings to configure.

The last step is to configure the Windows Remote Management (WinRM) and Event Forwarding on each Windows 7, Vista, or XP computer. This can be done withGroup Policy.

Overall, setting up PowerBroker Desktops Auditing and Reporting isn't difficult. However, the process is lengthy and prone to failure if you make onemistake or miss a configuration step.

Using the Product

Creating a new rule that allows users to run a specific piece of software is a right-mouse click and short wizard away. In under a minute, I was able tocreate a rule that allows non-administrators to use the built-in disk defragmentation tool. Instead of being met with the standard Windows 7 User AccountControl (UAC) prompt, non-administrators can now easily run this tool.

The rules can be as simple or complex as you need them to be. For example, when I created the rule for the disk defragmentation tool, it didn't work thefirst time. This is because the rule was looking specifically for the version 6.0.6001.18000 of lhdfrgui.exe from Windows Server 2008 where the rule wascreated. The rule didn't apply to my Windows 7 test client, as it uses version 6.1.7601.17514 of the same file. So, instead of using the file version inthe rule, I used the filename and publisher (O=Microsoft Corporation, L=Redmond, S=Washington, C=US) to uniquely identify the file. After I did this, therule worked perfectly.

If the filename and publisher aren't sufficient for security reasons, PowerBroker can uniquely identify a program by its pathname, a hash, a WindowsInstaller path, or an ActiveX component. Other options, such as the file location on a CD or DVD based on the serial number of the disk, are available aswell.

Finally, Windows Management Instrumentation (WMI) filters are available to further define who should have the privilege of running the application definedin the rule. There are 26 filters, including filters based on whether a battery is present, CPU speed, disk space available, memory, and Active Directory(AD) security group.

When users attempt to use an application and they have the necessary privilege, the default action is to simply allow them to run it. This behavior can bechanged, however, to prompt the users for justification as to why they need to use it.

Using the Reporting Solution

Pre-authorizing applications that you anticipate that your users will need is useful, but this only takes you so far in the real world. As soon as youdeploy a computer to a user, the user will undoubtedly need the ability to use an application that you didn't anticipate. This is where the optionalreporting functionality comes in.

The reporting application, PBReports.exe, can be accessed from GPMC or by simply creating a shortcut to the executable. If you receive a request from auser who needs to run an application, you use the reporting tool to create a rule that would allow the user to run it.

For example, suppose a user wants to run an application named MyProgram.exe. First, you use the reporting tool's query functions to narrow down the list ofWindows Events to just the one that you need. You'll know that you have the right one when MyProgram.exe is listed in the Application column of the report.Next, you right-click MyProgram.exe and choose to generate a publisher, path, or hash rule. Doing so will allow you to copy XML-style data to theclipboard. This data is then copied directly into the GPMC's PowerBroker section. Although the copy-and-paste operation is all that it takes toautomatically generate a new rule, the process is a bit clunky compared to other solutions in this market.

An Easier Way to Protect Users' Computers

PowerBroker does the heavy lifting for you. Instead of having to relax NTFS or registry security for each application that would normally require localadministrator privileges, PowerBroker elevates the user's privileges for just that application. The GPMC integration is super convenient, but configuringthe reporting solution can be tricky if you miss one of the many steps that are required. For this reason, I'm giving PowerBroker 4 stars out of 5.