Take the work out of discovering permissions each application needs to function correctly
If they had the time, these administrators could lock down users' computers, then deploy any software that a user requests by using a Group Policy Object (GPO) or a deployment tool. And if a user needed to run a tool or legacy software that requires Local Administrator privileges, administrators could use a tool such as Process Monitor to relax (via a GPO) the appropriate registry or NTFS security permissions. Deploying software and relaxing permissions when needed aren't difficult tasks, but they can be time-consuming. In the end, many administrators just give up and grant users local administrator access to their machines so that they can move on to the next fire.
Viewfinity Privilege Management takes the work out of discovering the permissions that each application needs to function correctly. It also gives you the option of letting users install software on their own, while you still maintain control -- all from an easy-to-manage console. Viewfinity isn't the first software company to come up with this type of solution. A few years ago, I reviewed a similar product in the article " Bit9 Parity." The products are similar, but Viewfinity adds a new twist. In addition to a locally administered tool (GPO Editor) that runs on your network, Privilege Management can also be implemented using a Software as a Service (SaaS) model. Both the GPO Editor and SaaS editions of the product have their pros and cons.
Test Network
To test Privilege Management, I used a test network consisting of a Windows Server 2008 domain, a Windows XP client, and a Windows 7 client. For testing the GPO Editor edition, I added a Server 2008 member server to host the software.
Overview
For the most part, the GPO Editor and SaaS editions of Privilege Management function identically. They divide the applications that your users need to run into two groups:
- Applications that are currently installed; these applications are managed with applied policies
- Applications that your users will likely want to use in the future; these applications are managed with a feature named Policy Automation
If users need to use a particular application or tool in their day-to-day activities, you can create a policy that allows its use. For example, in a locked-down computer environment, non-administrator users can't run the Disk Defrag utility, change the power options, or change the date, time, or time zone. You can create a policy that lets them do these things. In addition, if there's a legacy program that users need but it requires Local Administrator privileges to run, you can configure a policy so that they're allowed to run this program with escalated security privileges, while keeping the users out of the Local Administrator security group.
This is a great start, for sure. But eventually you'll run into the problem I mentioned previously -- you simply don't have time to research and write a policy for every single application that users might want to use. This is where Policy Automation comes in.
Policy Automation actively monitors the applications that your users attempt to use. They're prompted by a dialog box that asks them to write a short justification for why they need access to a specific tool or application. This request is then logged in the Privilege Management tool, where you can quickly write a new policy that allows them to use the software that they've requested. The new policy can be implemented right away or at a specific date and time. You can also set a policy to expire at a certain date and time. What makes Policy Automation extremely powerful is that the Viewfinity client agent sends all the data needed to create a policy for the requested application back to the management console. You simply right-click the event (e.g., a user attempted to set the date and time), choose Create Policy, and follow a wizard's instructions.
GPO Editor Edition
If you would like to manage the back-end server yourself, Privilege Management comes in a standard executable that you install on your own server. Double-clicking VFGPOEditorSetup.exe takes care of the prerequisites, such as Microsoft .NET Framework 3.5 SP1 and Microsoft Report Viewer 2010, during the installation. The entire administrative console is built as an add-on to the Group Policy Management Console (GPMC), as Figure 1 shows.
Figure 1: The administrative console in the GPO Editor edition
Each computer that you want to manage needs to have a client agent installed. The agent comes in an .msi file, so installing it with a GPO, Microsoft System Center Configuration Manager (SCCM), or your favorite third-party deployment tool is a snap.
One of the advantages of the GPO Editor edition is the close integration with Group Policy and GPMC. As a result of this integration, you can easily target specific users and computers.
Another advantage over the SaaS product is that you and you alone control the product. You don't have to rely on an administrator in someone else's data center (aka the cloud) to ensure that your users are able to run the software that they require.
I found the GPO Editor edition to be responsive and easy to use. I found only one disadvantage over the SaaS edition: slower policy updates. The SaaS edition has a very tight communication window with each Windows client, whereas the GPO Editor edition updates the policies for the clients during the standard GPO update cycle. (According to TechNet, this happens "every 90 minutes, with a random offset of 0 to 30 minutes.") I could speed this up during testing by issuing the gpupdate /force command from the client, but it's otherwise much slower than the SaaS edition.
