Most systems administrators subscribe to the principle of granting users with as few privileges as possible. However, using standard Active Directory (AD) group policies makes it difficult give users the privileges to install, run, and configure company-required applications without either granting administrator rights or overly involving the Help desk in assisting users.
BeyondTrust Software’s PowerBroker Desktops helps to ease the burden of implementing the least-privilege desktop for Windows Server 2008 and Windows Server 2003 domains. To get started with the product, I cracked opened the well written and detailed installation guide, which elaborates on a two-step installation process.
The first step is to install the BeyondTrust Group Policy snap-in on any 32-bit or 64-bit machine, (either Server 2003 SP1 and later or Windows XP SP2 and later) that is used to manage Group Policy Objects (GPOs). Installing the Group Policy snap-in was simple and straightforward. After installing Microsoft .NET 2.0, I ran the supplied MSI file on my Server 2003 domain controller (DC) and accepted all the default options. After opening Group Policy Management Console (GPMC) and creating a GPO, I noticed two new items named PowerBroker Desktops in Group Policy Object Editor, under \Computer Configuration\Computer Security and \User Configuration\User Security. No additional configuration was necessary for the snap-in, other than a license file import.
The second step is to deploy the client software via the standard Group Policy software push. This step was problem free, but because the client is a standard MSI file, any deployment tool can be used. The client can be installed on most recent versions of Windows, including Server 2003 SP1 and later or XP SP2 and later.
After I deployed the client and installed the Group Policy snap-in, I was ready to begin defining policies. Creating policies is an intuitive process—you simply open a new or existing GPO that targets the users or machines to manage, right-click the PowerBroker Desktops selection in the GPO, and select Create new policy. Policy options include permission escalation (usually Administrator) and privilege (e.g., shut down the computer, act as part of the operating system), as well as other optional items. The policies are broken down into 10 types, as Figure 1 shows, targeted to users or computers that let you define exceptions for almost any privilege escalation.
From previous experience with Microsoft Customer Service and Support, I knew that a standard Windows 7 user cannot install a printer driver from a Windows-based print server unless seven or more Group Policy exceptions are created. To determine the type of BeyondTrust rule, I attempted to add the printer from the client PC and noticed, through BeyondTrust’s handy policy monitor tool (polmon.exe), that ntprint.exe needed a privilege escalation. On the Group Policy management machine, I created a new BeyondTrust path rule (which escalates a program in a defined program file path) that specified the path to ntprint.exe, granted administrator permissions via the Permissions tab, and granted the Load and unload device drivers privilege via the Privileges tab. After a Group Policy refresh on the client PC using gpudate /force, I was able to add the printer.
Next, I tested another challenging application as a Windows 7 standard user—GoToMeeting, the web conferencing and online meeting software. The installer is downloaded via an ActiveX control that spawns several .exe file downloads and installation processes. After a few failed attempts, including defining an ActiveX and hash exception (which escalates a file permission regardless of where it’s executed) for all GoToMeeting .exe files, the installation still failed. Finally, after consulting with BeyondTrust, I got the installation to succeed by removing the previous rules and using a single shell rule that lets you define a program path for exception with arguments. The rule for the Internet Explorer (IE) .exe file grants administrator permissions and all privileges for the GoToMeeting.com sites and subsites. When you use the shell rule with IE, a separate browser session launches on the client; the specified site downloads, and installations run with elevated permissions.
PowerBroker also features some default path rules that solve many common escalation requests that are specific to each Windows version, such as disk defragmentation and adding hardware. Another useful rule type is a folder rule that lets an administrator create a common installation share for users.
Overall, I was impressed with PowerBroker’s applications. The product works as advertised and lets administrators create the flexible rules necessary to maintain a desktop with only approved applications and settings. Despite the high licensing cost, PowerBroker would particularly benefit any admin who hasn’t rolled out Windows 7 and needs to implement systems that don’t have local users in the administrators group.
PROS: Simple installation; wide range of rule types; excellent documentation; seamless Group Policy integration
CONS: Licensing cost
PRICE: Starts at $30 per seat
RECOMMENDATION: PowerBroker would benefit any systems administrator who uses Active Directory, particularly admins who haven’t yet rolled out Windows 7 and need to implement systems that don’t have local users in the administrators group.
CONTACT: BeyondTrust Software • 800-234-9072 • www.beyondtrust.com