[gptalk] Re: BeyondTrust Privilege Manager
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 17 Apr 2008 10:10:24 -0700
It depends upon the exploits Jamie. If I remember correctly from when I
asked about this a while ago, Privilege Manager has some protection from
cross-process injection. So if the vulnerability requires access from
outside its process, they can protect against that. But its probably best to
ask about this scenario as there are many ways to exploit a vulnerability.
Also, its still much better than loosening system security for all processes
in my mind.
In terms of getting vendors to "do the right thing", just for perspective, I
was having this same conversation with vendors 10 years ago when I was doing
IT. It is happening, but its glacial.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Thursday, April 17, 2008 9:16 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
Couldn't agree more. However, even if you're only elevating on a per-process
level, aren't you still vulnerable if that particular application has known
exploits?
The ultimate goal is to get people (software developers) to understand the
least privilege model so that applications can run in the context of a
normal user. The bigger companies caught on pretty quickly, but a lot of
smaller vendors and in-house developers still don't get it (even though
Windows XP has been out for 6+ years!). Privilege Manager is definitely the
best alternative I've seen if you absolutely have to remove rights in a
hurry (and have a lot of problem applications). Otherwise, you attack the
source of the problem by tactfully explaining to vendors how they are
creating issues for you, in hopes that they'll fix the problem themselves.
Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, April 16, 2008 6:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
Just a few comments here. Privilege Manager solves the problem of running
with least privilege at a deeper level than just file and registry
permissions. You can do things like grant user rights, allow ActiveX
installations, run core OS tasks (e.g. install a printer) that would
normally require elevated rights. So, I would look at it as a more holistic
approach for getting to least privilege use. Frankly, if anyone is allowing
their users to run as administrator on their boxes, they are asking for a
lot of pain. That being said, everyone's business requirements are different
and environmental complexity varies, but if your business requires you to
get to least privilege, then products like Privilege Manager can make that
easier and frankly, more reliable than trying to poke around the file system
and registry and hoping you find everything. Also, keep in mind that doing
those file system or registry changes means that you are persisting access
to those locations to any process running on the system. As an alternative,
products that elevate on a per-process basis prevent this opening
completely.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 2:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
Thanks for the feedback Michael. I know I can create security templates for
the problem applications and apply them with GP but I really hate changing
default file/registry permissions. That is really just side-stepping the
problem instead of solving it. Ultimately folks need to understand how to
properly design an application to run as a normal user, but that is easier
said than done when dealing with tons of different vendors.
Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Pietrzak
Sent: Wednesday, April 16, 2008 12:57 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
I looked at it a while back and for the price they were asking for, it
didn't seem well worth it. I guess it comes down to need. If you have funky
off the wall applications that need to be run as administrator to run,
update etc, then it's the perfect tool for elevating privileges. But it's a
real niche product and sometimes you can accomplish the same thing by
messing with the ACL's for the program's file group and add the domain users
group to full control on the entire folder group. That's how we worked
around having to give admin access to all our users.
But the company seems good and tech support was very helpful when I was
testing it out.
Michael
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 10:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] BeyondTrust Privilege Manager
Is anyone out there currently using BeyondTrustR Privilege Manager in their
Group Policy environment? If so, what are your thoughts about it? What I've
seen and heard looks pretty cool, but I am interested in some real-world
feedback on how effective it really is.
Any help is greatly appreciated.
Regards,
Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
Other related posts:
