Administrators shudder when end-users request administrator privileges on their own systems. The fear of malicious and unauthorized applications having unfettered system access is significant, and for good reason. Often, though, users need administrator privileges to install and run approved business applications, creating a dilemma: how to enable users to work effectively while protecting their systems.
Winternals Protection Manager helps systems administrators implement the security principle of least privilege?that is, grant users only the privileges they need to work effectively. Protection Manager installs quickly on any available network server, and the Protection Manager Console makes client deployment easy. You can then scan deployed clients to identify all installed programs, even those the user has tried to hide, and place programs into the Application Browser, which provides a fast way to make a list of programs for creating File Sets (i.e., groups of programs to be managed). You also use the console to create the File Sets and Roles (sets of users, security groups, or computers).
Roles can be in one of four modes. Disabled Mode lets both trusted and untrusted applications run and is helpful when designing Roles. Silent Deployment Mode runs all applications except those that are explicitly denied and logs the execution of untrusted applications. Interactive Deployment Mode warns users when untrusted applications are being launched, and Enforced Mode denies access to all applications that aren't explicitly trusted. You can apply File Sets to a Role when it's created or add them to a Role later. When applying a File Set to a Role, you specify whether the execution of all applications in the File Set is allowed or denied and whether allowed applications run with or without administrative privileges.
I tested Protection Manager's ability to restrict application access by creating a File Set containing setup programs for several applications that require administrative access to install and added the File Set to a Role containing domain users. Next, I specified that the Role should run the programs in the File Set with administrative privileges and deny access to Solitaire. Then I logged on as a user and verified that I could run the programs in the File Set with administrative privileges and that I was denied access to Solitaire.
Protection Manager includes a request system that lets users request that access to denied programs be added to their Role. The administrator who receives the request can then let the user know whether the request is granted.
Many tasks in the Protection Manager Console require dragging items from one place to another. Although this requirement occasionally confused me because I prefer to use a context menu to perform tasks, it's a minor complaint and doesn't prevent me from strongly recommending Protection Manager to any administrator who wants to implement a least-privilege user environment or protect systems from unauthorized programs. Microsoft recently acquired Winternals but has promised to provide product support and updates according to customers' support agreements.
PROS: Flexible configuration; effectively prevents execution of untrusted programs; good notification system; easy client installation