Vendors give boost to Microsoft management tools

Two management vendors are readying extensions for Microsoft's group policy technology designed to help corporations lock down their desktops and improve operations for securing servers and PCs.

FullArmor this week is releasing its IntelliPolicy for Clients 1.5, which includes controls that let customers limit local administrative rights that end users have on their own desktops. Those rights are seen as a security risk in the face of malware and worms because they provide the ability to control anything on the desktop, including changing registry settings and installing software.

In early June, DesktopStandard plans to release GPOVault, a repository where group policy objects can be edited and tested before being deployed. Users also can delegate rights to edit certain policies to specific administrators.

Both tools plug directly into the Group Policy Management Console provided with Active Directory.

Microsoft's group policy technology, which is supported on Windows 2000, XP and Windows Server 2003, works in conjunction with Active Directory and allows administrators to manage, customize and lock down desktop and server settings based on a set of policies maintained in the directory. The policies, for example, can prevent users from changing settings and can disable services such as USB ports to prevent use of removable storage devices.

"Group policy is very significant, and more than 80% of Windows 2000 users are using it," says William Hurley, senior analyst at Enterprise Strategy Group. "The goal is to use policy-based management to normalize and standardize the environment and create a more secure network from a management perspective. It's an awfully powerful tool."

FullArmor says it hopes to boost that power with IntelliPolicy for Clients 1.5, which lets IT staff activate local administrative rights on desktops on an application-by-application basis. In addition, the tool lets administrators proactively block those rights for certain applications such as Microsoft Outlook, especially on the desktops of users that need local administrative rights activated, such as IT staff.

IntelliPolicy for Clients also has features for locking down settings in Outlook and for automatically changing local administrator passwords across a network at defined intervals. The software is priced at $7 per user.

DesktopStandard is adding to group policy features with its GPOVault, a repository for group policy objects (GPO), which are collections of rules that can be universally applied.

GPOVault lets users control the creation, modification and deletion of GPOs; delegate responsibility for GPOs to specific administrators; assign users roles such as editing, review and approval, and audit all activity. GPOVault also lets users recover a deleted GPO, repair live GPOs and roll back any changes.