[gptalk] Re: BeyondTrust Privilege Manager
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 16 Apr 2008 16:35:19 -0700
Just a few comments here. Privilege Manager solves the problem of running
with least privilege at a deeper level than just file and registry
permissions. You can do things like grant user rights, allow ActiveX
installations, run core OS tasks (e.g. install a printer) that would
normally require elevated rights. So, I would look at it as a more holistic
approach for getting to least privilege use. Frankly, if anyone is allowing
their users to run as administrator on their boxes, they are asking for a
lot of pain. That being said, everyone's business requirements are different
and environmental complexity varies, but if your business requires you to
get to least privilege, then products like Privilege Manager can make that
easier and frankly, more reliable than trying to poke around the file system
and registry and hoping you find everything. Also, keep in mind that doing
those file system or registry changes means that you are persisting access
to those locations to any process running on the system. As an alternative,
products that elevate on a per-process basis prevent this opening
completely.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 2:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
Thanks for the feedback Michael. I know I can create security templates for
the problem applications and apply them with GP but I really hate changing
default file/registry permissions. That is really just side-stepping the
problem instead of solving it. Ultimately folks need to understand how to
properly design an application to run as a normal user, but that is easier
said than done when dealing with tons of different vendors.
Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Pietrzak
Sent: Wednesday, April 16, 2008 12:57 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: BeyondTrust Privilege Manager
I looked at it a while back and for the price they were asking for, it
didn't seem well worth it. I guess it comes down to need. If you have funky
off the wall applications that need to be run as administrator to run,
update etc, then it's the perfect tool for elevating privileges. But it's a
real niche product and sometimes you can accomplish the same thing by
messing with the ACL's for the program's file group and add the domain users
group to full control on the entire folder group. That's how we worked
around having to give admin access to all our users.
But the company seems good and tech support was very helpful when I was
testing it out.
Michael
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Wednesday, April 16, 2008 10:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] BeyondTrust Privilege Manager
Is anyone out there currently using BeyondTrustR Privilege Manager in their
Group Policy environment? If so, what are your thoughts about it? What I've
seen and heard looks pretty cool, but I am interested in some real-world
feedback on how effective it really is.
Any help is greatly appreciated.
Regards,
Jamie Nelson | Systems Engineer | Systems Support, Information Technology |
I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
<http://www.integrisok.com/> http://www.integrisok.com
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
_____
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
Other related posts:
