It depends upon the exploits Jamie. If I remember correctly from when I asked about this a while ago, Privilege Manager has some protection from cross-process injection. So if the vulnerability requires access from outside its process, they can protect against that. But its probably best to ask about this scenario as there are many ways to exploit a vulnerability. Also, its still much better than loosening system security for all processes in my mind. In terms of getting vendors to "do the right thing", just for perspective, I was having this same conversation with vendors 10 years ago when I was doing IT. It is happening, but its glacial. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Thursday, April 17, 2008 9:16 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager Couldn't agree more. However, even if you're only elevating on a per-process level, aren't you still vulnerable if that particular application has known exploits? The ultimate goal is to get people (software developers) to understand the least privilege model so that applications can run in the context of a normal user. The bigger companies caught on pretty quickly, but a lot of smaller vendors and in-house developers still don't get it (even though Windows XP has been out for 6+ years!). Privilege Manager is definitely the best alternative I've seen if you absolutely have to remove rights in a hurry (and have a lot of problem applications). Otherwise, you attack the source of the problem by tactfully explaining to vendors how they are creating issues for you, in hopes that they'll fix the problem themselves. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | <http://www.integrisok.com/> http://www.integrisok.com From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, April 16, 2008 6:35 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager Just a few comments here. Privilege Manager solves the problem of running with least privilege at a deeper level than just file and registry permissions. You can do things like grant user rights, allow ActiveX installations, run core OS tasks (e.g. install a printer) that would normally require elevated rights. So, I would look at it as a more holistic approach for getting to least privilege use. Frankly, if anyone is allowing their users to run as administrator on their boxes, they are asking for a lot of pain. That being said, everyone's business requirements are different and environmental complexity varies, but if your business requires you to get to least privilege, then products like Privilege Manager can make that easier and frankly, more reliable than trying to poke around the file system and registry and hoping you find everything. Also, keep in mind that doing those file system or registry changes means that you are persisting access to those locations to any process running on the system. As an alternative, products that elevate on a per-process basis prevent this opening completely. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, April 16, 2008 2:00 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager Thanks for the feedback Michael. I know I can create security templates for the problem applications and apply them with GP but I really hate changing default file/registry permissions. That is really just side-stepping the problem instead of solving it. Ultimately folks need to understand how to properly design an application to run as a normal user, but that is easier said than done when dealing with tons of different vendors. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | <http://www.integrisok.com/> http://www.integrisok.com From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Wednesday, April 16, 2008 12:57 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: BeyondTrust Privilege Manager I looked at it a while back and for the price they were asking for, it didn't seem well worth it. I guess it comes down to need. If you have funky off the wall applications that need to be run as administrator to run, update etc, then it's the perfect tool for elevating privileges. But it's a real niche product and sometimes you can accomplish the same thing by messing with the ACL's for the program's file group and add the domain users group to full control on the entire folder group. That's how we worked around having to give admin access to all our users. But the company seems good and tech support was very helpful when I was testing it out. Michael From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, April 16, 2008 10:53 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] BeyondTrust Privilege Manager Is anyone out there currently using BeyondTrustR Privilege Manager in their Group Policy environment? If so, what are your thoughts about it? What I've seen and heard looks pretty cool, but I am interested in some real-world feedback on how effective it really is. Any help is greatly appreciated. Regards, Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | <http://www.integrisok.com/> http://www.integrisok.com _____ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). _____ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). _____ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).