The topic of users running as local administrators seems to be on everyone's mind lately. Because antivirus and antispyware solutions often offer too little protection too late, administrators are looking for a better way to protect users' computers. BeyondTrust's PowerBroker Desktops, Windows Edition, can help you take back control and put the users back in their place -- as local users, not administrators.
Installing and Configuring the Product
There are two basic components in PowerBroker: a Group Policy Management Console (GPMC) snap-in, which Figure 1 shows, and a client agent that's installed on each Windows 7, Windows Vista, or Windows XP client. Both come in 32- and 64-bit versions. The GPMC snap-in can be installed on Windows Server 2003 SP1 and later or on XP SP2 and later.
I installed the GPMC snap-in on my test domain's domain controller (DC). The only prerequisite is Microsoft .NET Framework 4.0, which must be installed separately. When you double-click the pbwdsnap32/64.msi file, a short wizard helps you install the application. It took under a minute on my DC.
I chose to install the client agent through Group Policy. By doing it this way, every time you add a new Windows 7, Vista, or XP computer to the domain and place it in the proper organizational unit (OU), the agent will be automatically installed without any other user or administrator intervention. Licensing is controlled by an XML license file that's imported into the application through GPMC.
Installing and Configuring the Optional Reporting Solution
An optional reporting environment can be installed on a separate server. PowerBroker Desktops Auditing and Reporting requires a Microsoft SQL Server or SQL Server Express back-end database. This handy reporting tool uses the Microsoft Event Forwarding service to gather information about the applications that are being used and any privileges that they might require. Although optional, you'll soon discover that this feature is really the heart of the application, as I explain later in this review.
Unlike the GPMC snap-in and client agent, the PowerBroker Desktops Auditing and Reporting software took much more time to install and configure. The Installation Guide does a good job of walking you through the setup tasks, but there were quite a few settings to configure.
The last step is to configure the Windows Remote Management (WinRM) and Event Forwarding on each Windows 7, Vista, or XP computer. This can be done with Group Policy.
Overall, setting up PowerBroker Desktops Auditing and Reporting isn't difficult. However, the process is lengthy and prone to failure if you make one mistake or miss a configuration step.
Using the Product
Creating a new rule that allows users to run a specific piece of software is a right-mouse click and short wizard away. In under a minute, I was able to create a rule that allows non-administrators to use the built-in disk defragmentation tool. Instead of being met with the standard Windows 7 User Account Control (UAC) prompt, non-administrators can now easily run this tool.
The rules can be as simple or complex as you need them to be. For example, when I created the rule for the disk defragmentation tool, it didn't work the first time. This is because the rule was looking specifically for the version 6.0.6001.18000 of lhdfrgui.exe from Windows Server 2008 where the rule was created. The rule didn't apply to my Windows 7 test client, as it uses version 6.1.7601.17514 of the same file. So, instead of using the file version in the rule, I used the filename and publisher (O=Microsoft Corporation, L=Redmond, S=Washington, C=US) to uniquely identify the file. After I did this, the rule worked perfectly.
If the filename and publisher aren't sufficient for security reasons, PowerBroker can uniquely identify a program by its pathname, a hash, a Windows Installer path, or an ActiveX component. Other options, such as the file location on a CD or DVD based on the serial number of the disk, are available as well.
Finally, Windows Management Instrumentation (WMI) filters are available to further define who should have the privilege of running the application defined in the rule. There are 26 filters, including filters based on whether a battery is present, CPU speed, disk space available, memory, and Active Directory (AD) security group.
When users attempt to use an application and they have the necessary privilege, the default action is to simply allow them to run it. This behavior can be changed, however, to prompt the users for justification as to why they need to use it.
Using the Reporting Solution
Pre-authorizing applications that you anticipate that your users will need is useful, but this only takes you so far in the real world. As soon as you deploy a computer to a user, the user will undoubtedly need the ability to use an application that you didn't anticipate. This is where the optional reporting functionality comes in.
The reporting application, PBReports.exe, can be accessed from GPMC or by simply creating a shortcut to the executable. If you receive a request from a user who needs to run an application, you use the reporting tool to create a rule that would allow the user to run it.
For example, suppose a user wants to run an application named MyProgram.exe. First, you use the reporting tool's query functions to narrow down the list of Windows Events to just the one that you need. You'll know that you have the right one when MyProgram.exe is listed in the Application column of the report. Next, you right-click MyProgram.exe and choose to generate a publisher, path, or hash rule. Doing so will allow you to copy XML-style data to the clipboard. This data is then copied directly into the GPMC's PowerBroker section. Although the copy-and-paste operation is all that it takes to automatically generate a new rule, the process is a bit clunky compared to other solutions in this market.
An Easier Way to Protect Users' Computers
PowerBroker does the heavy lifting for you. Instead of having to relax NTFS or registry security for each application that would normally require local administrator privileges, PowerBroker elevates the user's privileges for just that application. The GPMC integration is super convenient, but configuring the reporting solution can be tricky if you miss one of the many steps that are required. For this reason, I'm giving PowerBroker 4 stars out of 5.
PowerBroker Desktops, Windows Edition