One of the many annoyances that Windows administrators face is lack of control over the software their users run on their company workstations. You can lock a user's PC down and not allow anything but company-authorized software to run on it (which is a time-consuming process), or you can give the user Local Administrator rights and live with the resulting software free-for-all. Bit9 has stepped in with an "in-between" solution—an application-control software product called Parity.
Parity gives administrators complete control over which applications a user can and can’t run, all without a lengthy setup process or huge administrative overhead. Parity even lets you create groups so that you can establish various security levels for a particular set of users. For example, perhaps you'd like to lock down most of your users but simply monitor the IT department and allow those users to install their own software. It’s this kind of control and flexibility that makes Parity a workable solution.
To test Parity, I created four virtual machines (VMs) using VMware’s free virtualization product, VMware Server. Two of the VMs ran Windows Server 2003 with Service Pack 1 (SP1). The first server was a domain controller (DC) and took care of DNS, WINS, and the test network's Active Directory (AD) functions. The second server ran the Parity software. A back-end database is required to run Parity, so SQL Server 2005 Express Edition ran on the Parity server as well. The third and fourth VMs ran Windows XP with SP2: One I called “Sales-1” and the other “IT-1,” and I used them to test how Parity protects computers.
The setup process is straightforward. Because the administration tools for Parity are all Web-based, you must use a Secure Sockets Layer (SSL) certificate running on an Apache Web server (Microsoft IIS must not be installed). If you don’t have a certificate available, Parity will create one for you during the installation. Bit9 requires you to activate Parity, and you can do so via a simple online process. After Parity is installed, you log in through Microsoft Internet Explorer (IE) and are presented with a simple home page to help you monitor recent file activity, approve software, and manage host groups.
After the installation was complete, I created two host groups: one for the fictional IT department, and one for the Sales department. I intended to lock the Sales department down tight but allow the users in IT to install software. Once the host groups were set up, I loaded the Parity client onto the two test PCs. This process is made simple because Bit9 packages the Parity client in an MSI format that can be deployed via Microsoft Systems Management Server (SMS), Group Policy, or other methods that leverage the functionality of the MSI format. I chose to use Group Policy to deploy the clients. Although the Parity group and the corresponding AD security group aren't directly linked, it would be a good practice to keep a similar naming convention between the two. For example, I might create a Parity group called Parity Sales and an AD security group also called Parity Sales and use the AD group to filter Group Policy to install the client for the Sales department to ensure that the correct client is installed. Each host group has a custom Parity client, so it’s important to deploy the correct one.
With Parity set up and the client deployed, I was ready to put the product through its paces. I logged on to the IT-1 PC and attempted to install the Google Toolbar. Parity immediately threw up a dialog box asking if I really wanted to continue, but it allowed me to install the software. This type of warning is perfect to protect against rogue applications being installed in the background yet still allow privileged users the flexibility to install the software they need to do their job. When I tried to install the Google Toolbar onto Sales-1, it was a different story. I was immediately blocked from installing the software. And unbeknownst to me at the time, this action was logged on the Parity server, as Figure 1 shows. When I logged back on to the Parity server as administrator, I had the choice of allowing the Google Toolbar to continue to run or of continuing to block it.
The only concern I had with Parity is that I wasn't able to test it with Windows Vista. Bit9 told me that the reason it isn't releasing a Vista agent for Parity is because “customers will not be deploying Vista into their environments until late 2007.” However, I believe that a primary reason why businesses are slow to move to Vista is because so many drivers and utilities aren't Vista-ready yet. I hope Bit9 changes its mind and releases a Vista agent soon. Parity could be the icing on Vista’s cake.
Parity fills an administrative hole in Windows based networks. It’s simple, lightweight, and easy to use. If you need to tighten control over the software your users are allowed to run on company PCs, Parity is worth your consideration.
--Eric B. Rux.