Overview
Granting Administrative Privileges to Standard Users
| Certain Windows applications and desktop functions require local administrative privileges in order to
run and function properly on a desktop or laptop. Granting Full Administrator Rights creates a less secure
desktop environment and opens the door |
|
for malicious hackers and viruses, thus organizations consider granting
Administrator Rights to standard users to be risky. It also breaches compliance regulations posed by
the Sarbanes-Oxley Act and HIPAA. Additionally, the US Government Federal Desktop Core
|
|
|
Configuration (FDCC) mandate stipulates that administrative rights cannot be granted to end users and may not be made
available on federal desktops and laptops.
|
How It Works
Viewfinity elevates administrative rights for certain processes or applications rather than at the user account level. When permissions are raised, the elevation is performed directly within the security token of the specific user process. The application or process is started using the current user credentials as opposed to using RUN AS which needs the Administrative account in order to raise privileges. The RUN AS method potentially introduces security risks and issues for changes that are written into current user registry.
Is flexible lockdown really possible? Darren Mar-Elia, Microsoft Group Policy MVP, shares his top 10 tips & tricks related to desktop lockdown in this two-page checklist.
Try it now for 14 days. In four easy steps and in less than ten minutes, the software can be installed and ready for evaluation.
Not sure which product is best for your needs? View our side-by-side comparison of all features.
Need to ensure FDCC Compliance? Download this brochure: Viewfinity FDCC Compliance: Desktop Lockdown with Flexible Privilege Management
Real-time Privilege Elevation
All elevation rules are applied in a real time and do not require users to cycle through the log on process. Viewfinity doesn't require desktops to be part of the domain or to be attached to the corporate network in order for privilege elevation policies to be delivered. Reports can be used to monitor the status of polices being applied.
ActiveX Controls
Another restriction imposed in least privilege environments is the inability for non-administrative users to install approved ActiveX controls. IT administrators may continue to operate endpoint devices in a least privileges mode and use Viewfinity Elevate Privileges to grant administrative rights for installing:
- ActiveX controls
- Signed ActiveX controls
- ActiveX controls from specific URLs
- ActiveX controls from specific Publisher and version
Printer Installations
For organizations with locked down environments, trivial end user tasks such as installing or removing printers becomes a burdensome IT support task. Viewfinity Elevate Privileges allows IT administrators to grant permissions for non-administrative users to install and remove printers. IT administrators no long need to get bogged down with requests that an end user should be able to handle without IT intervention.
61% of organizations lock down their desktops
Only
12% use a privilege management product
*Survey conducted in Dec 2009, 272 respondents
Granting Administrator Rights for Applications and Scripts
Viewfinity solves the end-user administrative privileges problem by supporting a locked down least privileges environment
that allows IT administrators to have granular control over which desktops and laptops can operate with administrator rights.
There is no need to jeopardize your network by granting full privileges to every user just so they can run a business
application that requires administrative privileges. With Viewfinity's Elevate Privileges functionality,
IT Professionals can manage and assign administrative privilege permissions to specific applications and desktop
functions without granting full administrative rights. In some scenarios, administrators may need to
execute scripts on the client machine. Under normal circumstances this would require administrative
rights in order to run. Using Viewfinity Privilege Management, administrators can create policies that
will execute scripts without needing to assign local administrator rights to the end user.
Identifying Applications that Require Administrative Rights
Before removing local administrative rights from end-points, it is important to gather accurate
information about the applications which will require administrative rights once permissions
are removed from users. Accurate reporting is required in order to keep the user environment
free of disruption. Viewfinity supports Shell Extension policies which allow non-admin users to
run all applications with elevated permissions. After a period of time, when application usage,
based on elevation, has been determined and collected, Shell Extension policies can be deactivated
and policies for those applications can be enabled. The data collected can be reviewed in a report that
contains information for a single PC or multiple PCs/users, and includes details on usage and applications.
Computer Management Functions
Occasionally end users may require administrator rights in order to perform PC service/management functions such as Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares. With Viewfinity these tasks can be run by standard users by elevating administrator privileges to perform the specified management functions.
Support for Mobile Workers
Viewfinity does not require laptops or desktops to be part of the Active Directory domain or to be directly connected to the corporate network in order to activate policies that manage administrator privileges. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT Administrator. Once delivered, all policies continue to be enforced even while working offline.
Intelligent Reporting through Policy Auditing
Viewfinity provides detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application.
Key Features
- ActiveX: Manages permissions for non-administrative users to install ActiveX Controls
- Printers: Manages permissions for non-administrative users to install printers
- Computer Management Functions: Raises privileges to perform specific administrative functions (Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares)
- Applications: Elevates administrative privileges for approved applications without compromising security on the PC (managed via central console, no desk-side visits required)
- Scripts: Elevates administrative privileges for approved scripts in order to allow running of scripts without admin rights. Supported scripts: BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
- Remote/Mobile Clients: Automatically delivers policies to remote clients as soon as the PC connects to the internet
- Reports: Confirm policy delivery status to ensure policies were applied
- Additional Flexible Privilege Management features:
- Provides the ability to block application usage, perform whitelisting and lockdown PCs
- Creates a whitelist of applications and permits or blocks the use of child processes
- Reports on software installation attempts and usage of unauthorized software
- Configures multi-level compliance policies at a granular level; on/off the corporate network, time of day, group, department, individual user, application(s), or any combination of these variables
- Requires only an internet connect to invoke and control administrative privileges policies
Not sure which product is best for your needs? View our side-by-side comparison of all features.