Product Review: Viewfinity Privilege Management

Having domain users be the local administrators of their own computers is a bad but common practice. To make matters worse, if the Domain Users groupis a member of the local administrator group, the users also have administrative privileges on every computer in the domain. Administrators know thatthis is a security risk, but on top of the daily fires that they have to extinguish, there often isn't time to remedy this situation.

If they had the time, these administrators could lock down users' computers, then deploy any software that a user requests by using a Group PolicyObject (GPO) or a deployment tool. And if a user needed to run a tool or legacy software that requires Local Administrator privileges, administratorscould use a tool such as Process Monitor to relax (via a GPO) the appropriateregistry or NTFS security permissions. Deploying software and relaxing permissions when needed aren't difficult tasks, but they can be time-consuming.In the end, many administrators just give up and grant users local administrator access to their machines so that they can move on to the next fire.

Viewfinity Privilege Management takes the work out of discovering the permissions that each application needs to function correctly. It also gives youthe option of letting users install software on their own, while you still maintain control -- all from an easy-to-manage console. Viewfinity isn't thefirst software company to come up with this type of solution. A few years ago, I reviewed a similar product in the article "Bit9 Parity." The products are similar, but Viewfinity adds a new twist.In addition to a locally administered tool (GPO Editor) that runs on your network, Privilege Management can also be implemented using a Software as aService (SaaS) model. Both the GPO Editor and SaaS editions of the product have their pros and cons.

Test Network

To test Privilege Management, I used a test network consisting of a Windows Server 2008 domain, a Windows XP client, and a Windows 7 client. Fortesting the GPO Editor edition, I added a Server 2008 member server to host the software.

Overview

For the most part, the GPO Editor and SaaS editions of Privilege Management function identically. They divide the applications that your users need torun into two groups:

If users need to use a particular application or tool in their day-to-day activities, you can create a policy that allows its use. For example, in alocked-down computer environment, non-administrator users can't run the Disk Defrag utility, change the power options, or change the date, time, ortime zone. You can create a policy that lets them do these things. In addition, if there's a legacy program that users need but it requires LocalAdministrator privileges to run, you can configure a policy so that they're allowed to run this program with escalated security privileges, whilekeeping the users out of the Local Administrator security group.

This is a great start, for sure. But eventually you'll run into the problem I mentioned previously -- you simply don't have time to research and writea policy for every single application that users might want to use. This is where Policy Automation comes in.

Policy Automation actively monitors the applications that your users attempt to use. They're prompted by a dialog box that asks them to write a shortjustification for why they need access to a specific tool or application. This request is then logged in the Privilege Management tool, where you canquickly write a new policy that allows them to use the software that they've requested. The new policy can be implemented right away or at a specificdate and time. You can also set a policy to expire at a certain date and time. What makes Policy Automation extremely powerful is that the Viewfinityclient agent sends all the data needed to create a policy for the requested application back to the management console. You simply right-click theevent (e.g., a user attempted to set the date and time), choose Create Policy, and follow a wizard's instructions.

GPO Editor Edition

If you would like to manage the back-end server yourself, Privilege Management comes in a standard executable that you install on your own server.Double-clicking VFGPOEditorSetup.exe takes care of the prerequisites, such as Microsoft .NET Framework 3.5 SP1 and Microsoft Report Viewer 2010, duringthe installation. The entire administrative console is built as an add-on to the Group Policy Management Console (GPMC), as Figure 1 shows.

Figure 1: The administrative console in the GPO Editor edition 

Each computer that you want to manage needs to have a client agent installed. The agent comes in an .msi file, so installing it with a GPO, MicrosoftSystem Center Configuration Manager (SCCM), or your favorite third-party deployment tool is a snap.

One of the advantages of the GPO Editor edition is the close integration with Group Policy and GPMC. As a result of this integration, you can easilytarget specific users and computers.

Another advantage over the SaaS product is that you and you alone control the product. You don't have to rely on an administrator in someone else'sdata center (aka the cloud) to ensure that your users are able to run the software that they require.

I found the GPO Editor edition to be responsive and easy to use. I found only one disadvantage over the SaaS edition: slower policy updates. The SaaSedition has a very tight communication window with each Windows client, whereas the GPO Editor edition updates the policies for the clients during thestandard GPO update cycle. (According to TechNet, this happens "every 90 minutes,with a random offset of 0 to 30 minutes.") I could speed this up during testing by issuing the gpupdate /force command from the client, butit's otherwise much slower than the SaaS edition.

SaaS Edition

The SaaS edition is a service that you access over the Internet. The only software that is installed locally is the client agent on each computer youwant to manage and a web plug-in on the computer that you'll use to manage the Privilege Management software.

Like the agent for the GPO Editor edition, the agent for the SaaS edition comes in both 32- and 64-bit versions and can be installed on clients runningXP SP3 or later. The client agents can be installed in one of three ways:

I installed the agent manually on each client machine (as a local administrator) and was surprised to see the object almost immediately show up in theonline SaaS console. To test the software, I logged on to the client as a domain user that was not a local administrator. Just like with the GPO Editoredition, managing the applications that users request is a snap.

The management of the computers themselves is done through a web browser interface. Again, no server-side software is installed in your data center.

The SaaS edition has both pros and cons, just like the GPO Editor edition. For starters, as with all SaaS solutions, you are not in control of the datacenter components of the software. This was clearly evident over the weekend when I was met with this message on the Viewfinity website:Scheduled maintenance occurs every Sunday between 9:00 AM and noon GMT on the Viewfinity SaaS platform. During this time service may beinterrupted. If you have specific questions, please contact Viewfinity support at [email protected].

I also noticed that the website can be slow sometimes. The web application hung a number of times for no apparent reason. If this happens when you'recreating policies, it can be very frustrating. And I thought the SaaS interface wasn't as intuitive as the on-site application, as a number of separatebrowser windows need to be open in order to use the application.

One huge advantage that the SaaS edition has over the GPO Editor edition is the communication mechanism that it uses. Instead of having to open portson the firewall to allow communication, all policies are transmitted via https (port 443), which is open on most firewalls. The SaaS edition was alsomuch faster sending new policies to the clients. Instead of waiting for the next GPO refresh cycle, the new policies are sent almost immediately --most times in under a minute. If you have a mobile sales force that still doesn't understand what the VPN is used for, the SaaS edition may be yourbest bet.

Windows 7 versus XP

By using the included Quick Start Guide, I was able to easily set up a policy that allowed a non-administrator to run the built-in Disk Defrag utility.When I attempted to run software or access a restricted system tool (such as changing the date and time), I found it simple to create a policy from thelog of the event.

I found the experience pleasurable for the Windows 7 client, but the XP client proved to be more of a challenge. The applied policies worked fine. Butthe Policy Automation feature didn't recognize many of the access attempts in XP that were recognized in Windows 7. According to Alex Shoykhet, vicepresident of product management at Viewfinity, this will be addressed in the next version. If you currently have XP machines, I recommend that youleave them alone and implement Privilege Management at the same time you roll out Windows 7 or Windows 8. Making the change at the same time youimplement a shiny new OS might also help your users more easily accept the increased security.

A Powerful Tool

Letting users operate as local administrators of their computers is bad security practice. Viewfinity takes much of the work out of determining how torelax the appropriate permissions in a locked-down computer environment. Add to this feature set the choice of using the SaaS or GPO Editor edition andyou have a powerful tool in your back pocket.