Elevate Privileges

Overview

Granting Administrative Privileges to Standard Users

Certain Windows applications and desktop functions require local administrative privileges in order to run and function properly on a desktop or laptop. Granting Full Administrator Rights creates a less secure desktop environment and opens the door for malicious hackers and viruses, thus organizations consider granting Administrator Rights to standard users to be risky. It also breaches compliance regulations posed by the Sarbanes-Oxley Act and HIPAA. Additionally, the US Government Federal Desktop Core Configuration (FDCC) mandate stipulates that administrative rights cannot be granted to end users and may not be made available on federal desktops and laptops.

How It Works

Viewfinity elevates administrative rights for certain processes or applications rather than at the user account level. When permissions are raised, the elevation is performed directly within the security token of the specific user process. The application or process is started using the current user credentials as opposed to using RUN AS which needs the Administrative account in order to raise privileges. The RUN AS method potentially introduces security risks and issues for changes that are written into current user registry.

Is flexible lockdown really possible? Darren Mar-Elia, Microsoft Group Policy MVP, shares his top 10 tips & tricks related to desktop lockdown in this two-page checklist.

Try it now for 14 days. In four easy steps and in less than ten minutes, the software can be installed and ready for evaluation.

Not sure which product is best for your needs? View our side-by-side comparison of all features.

Real-time Privilege Elevation

All elevation rules are applied in a real time and do not require users to cycle through the log on process. Viewfinity doesn't require desktops to be part of the domain or to be attached to the corporate network in order for privilege elevation policies to be delivered. Reports can be used to monitor the status of polices being applied.

ActiveX Controls

Another restriction imposed in least privilege environments is the inability for non-administrative users to install approved ActiveX controls. IT administrators may continue to operate endpoint devices in a least privileges mode and use Viewfinity Elevate Privileges to grant administrative rights for installing:

• ActiveX controls
• Signed ActiveX controls
• ActiveX controls from specific URLs
• ActiveX controls from specific Publisher and version

Printer Installations

For organizations with locked down environments, trivial end user tasks such as installing or removing printers becomes a burdensome IT support task. Viewfinity Elevate Privileges allows IT administrators to grant permissions for non-administrative users to install and remove printers. IT administrators no long need to get bogged down with requests that an end user should be able to handle without IT intervention.

61% of organizations lock down their desktops
Only 12% use a privilege management product
*Survey conducted in Dec 2009, 272 respondents

Granting Administrator Rights for Applications

Viewfinity solves the administrative privileges problem by supporting a locked down least privileges environment that allows IT administrators to have granular control over which desktops and laptops can operate with administrator rights. There is no need to jeopardize your network by granting full privileges to every user just so they can run a business application that requires administrative privileges. With Viewfinity's Elevate Privileges functionality, IT Professionals can manage and assign administrative privilege permissions to specific applications and desktop functions without granting full administrative rights.

Computer Management Functions

Occasionally end users may require administrator rights in order to perform PC service/management functions such as Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares. With Viewfinity these tasks can be run by standard users by elevating administrator privileges to perform the specified management functions.

Support for Mobile Workers

Viewfinity does not require laptops or desktops to be part of the Active Directory domain or to be directly connected to the corporate network in order to activate policies that manage administrator privileges. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT Administrator. Once delivered, all policies continue to be enforced even while working offline.

Intelligent Reporting through Policy Auditing

Viewfinity provides detailed reporting on all administrator privilege policies, including an audit trail report that provides confirmation that a policy has been delivered and activated on endpoint devices. This includes validation of policy delivery to mobile and remote users, single or group of computers and/or for a specific application.

Key Benefits

• Automates privilege management of applications deployed by both IT and by end users
• Increases user satisfaction by providing flexible application policies instead of completely blocking non-standard applications
• Prevents the use of applications that create security risks
• Reduces probability of malicious and virus attacks on corporate laptops & desktops
• Eliminates security risks by attaching administrative rights to Windows applications and processes rather than adding users to the administrators group
• Brings remote and mobile endpoints into full compliance with corporate software policies as soon as they connect to the Internet
• Enforce HIPPA, SOX, PCI compliance and other mandates through designation of PC administrative rights by application or windows desktop function
• Ensure FDCC by removing administrative rights from end users while assigning permissions to desktop functions (ActiveX controls, printers, applications etc.)

Key Features

• ActiveX: Manages permissions for non-administrative users to install ActiveX Controls
• Printers: Manages permissions for non-administrative users to install printers
• Computer Management Functions: Raises privileges to perform specific administrative functions (Device Management, Disk Defragmenter, Manage Services and User Accounts & Shares)
• Applications: Elevates administrative privileges for approved applications without compromising security on the PC (managed via central console, no desk-side visits required)
• Remote/Mobile Clients: Automatically delivers policies to remote clients as soon as the PC connects to the internet
• Reports: Confirm policy delivery status to ensure policies were applied
• Additional Flexible Privilege Management features:



• Provides the ability to block application usage, perform whitelisting and lockdown PCs
• Reports on software installation attempts and usage of unauthorized software
• Configures multi-level compliance policies at a granular level; on/off the corporate network, time of day, group, department, individual user, application(s), or any combination of these variables
• Requires only an internet connect to invoke and control administrative privileges policies

Not sure which product is best for your needs? View our side-by-side comparison of all features.

Viewfinity Elevate Privileges video (70 seconds)

Elevate Privileges

Viewfinity Trial Evaluation

Viewfinity Product Overview

Viewfinity Privilege Management

The Top 10 Windows Desktop Lockdown Tips & Tricks