Getting "Beyond" admin rights for your applications

One of the biggest security issues that organizations face is that users are often local administrators of their computers. This means that they can do pretty much anything, including install malware or otherwise break the computer. So why do admins continue to let users be admins? One of the main reasons is that a number of applications are written poorly, under the assumption that the user will be an admin. This is easier for the programmers, but it makes managing an enterprise environment way more difficult. The solution seems easy enough - take away the admin rights from the users. But it gets very, very complicated when there are hundreds of applications that need to be vetted and managed to determine whether they require admin privileges or not, and if so how to trick them.

BeyondTrust has been working in the systems management space for a long time, with recent products focusing on dealing with the Vista User Access Control prompts, among other things. They now have a product on the market, Application Rights Auditor, that can be used to scan user workstations and determine which applications require administrative permissions to run. And the best part is that the tool is FREE!

The product consists of two pieces, a user agent and a management console. The user agent runs in the background, monitoring the running applications and feeding data back to a central repository, where the management console can query the data and report on it. By installing the agent on a representative set of computers (or all of them, if you want to be extra thorough) and letting users work normally for a few days you not only get an inventory of all the apps in use on the system (and who is using them) but also which ones require admin privileges.

BeyondTrust is hoping that you'll buy the Privilege Manager product, and that is one option, but it is also possible to shim pretty much every application running on Vista to trick it into thinking that it is running the way it wants to, without ever actually granting those rights. Or rights to files/registry settings can be selectively granted. There are a number of ways to skin the cat once you've caught it, and this tool seems to be a great option for doing just that.