[gptalk] Re: BeyondTrust Privilege Manager

  • From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Apr 2008 11:16:28 -0500

Couldn't agree more. However, even if you're only elevating on a
per-process level, aren't you still vulnerable if that particular
application has known exploits?

 

The ultimate goal is to get people (software developers) to understand
the least privilege model so that applications can run in the context of
a normal user. The bigger companies caught on pretty quickly, but a lot
of smaller vendors and in-house developers still don't get it (even
though Windows XP has been out for 6+ years!). Privilege Manager is
definitely the best alternative I've seen if you absolutely have to
remove rights in a hurry (and have a lot of problem applications).
Otherwise, you attack the source of the problem by tactfully explaining
to vendors how they are creating issues for you, in hopes that they'll
fix the problem themselves.

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, April 16, 2008 6:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager

 

Just a few comments here. Privilege Manager solves the problem of
running with least privilege at a deeper level than just file and
registry permissions. You can do things like grant user rights, allow
ActiveX installations, run core OS tasks (e.g. install a printer) that
would normally require elevated rights. So, I would look at it as a more
holistic approach for getting to least privilege use. Frankly, if anyone
is allowing their users to run as administrator on their boxes, they are
asking for a lot of pain. That being said, everyone's business
requirements are different and environmental complexity varies, but if
your business requires you to get to least privilege, then products like
Privilege Manager can make that easier and frankly, more reliable than
trying to poke around the file system and registry and hoping you find
everything. Also, keep in mind that doing those file system or registry
changes means that you are persisting access to those locations to any
process running on the system. As an alternative, products that elevate
on a per-process basis prevent this opening completely. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 2:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager

 

Thanks for the feedback Michael. I know I can create security templates
for the problem applications and apply them with GP but I really hate
changing default file/registry permissions. That is really just
side-stepping the problem instead of solving it. Ultimately folks need
to understand how to properly design an application to run as a normal
user, but that is easier said than done when dealing with tons of
different vendors.

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Wednesday, April 16, 2008 12:57 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager

 

I looked at it a while back and for the price they were asking for, it
didn't seem well worth it. I guess it comes down to need. If you have
funky off the wall applications that need to be run as administrator to
run, update etc, then it's the perfect tool for elevating privileges.
But it's a real niche product and sometimes you can accomplish the same
thing by messing with the ACL's for the program's file group and add the
domain users group to full control on the entire folder group. That's
how we worked around having to give admin access to all our users.

 

But the company seems good and tech support was very helpful when I was
testing it out.

 

Michael

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 10:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] BeyondTrust Privilege Manager

 

Is anyone out there currently using BeyondTrust(r) Privilege Manager in
their Group Policy environment? If so, what are your thoughts about it?
What I've seen and heard looks pretty cool, but I am interested in some
real-world feedback on how effective it really is.

 

Any help is greatly appreciated.

 

Regards,

 

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> 

 

 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 

 

________________________________

This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply). 



This e-mail may contain identifiable health information that is subject to 
protection under state and federal law. This information is intended to be for 
the use of the individual named above. If you are not the intended recipient, 
be aware that any disclosure, copying, distribution or use of the contents of 
this information is prohibited and may be punishable by law. If you have 
received this electronic transmission in error, please notify us immediately by 
electronic mail (reply).

Other related posts: