FullArmor last week announced the latest version of its policy management product IntelliPolicy for Clients 1.5. The release addresses one of the thorniest security issues for Windows administrators: how to create secure desktop configurations that reduce vulnerabilities without impacting end-user productivity.

A new feature of IntelliPolicy allows you to control privileges on an application-by-application basis by extending Microsoft's Group Policy infrastructure. As we all know, a machine with administrator privileges can bring down an entire network. However, most legacy applications need administrator rights to function. That's the dilemma many organizations are facing today.

IntelliPolicy allows IT departments to assign appropriate privilege levels to individual applications on a user-by-user basis. It can also throttle back rights for applications like Outlook and Internet Explorer that should never have elevated privileges. IntelliPolicy also automates policy configuration and enforcement for Outlook e-mail clients and administrator password management. For all I know it might even sweep the floor and wash the dishes.

Security and ease of use have always battled, with users and management who clamor for easier to use networks and applications - until something bad happens. Then it's your fault because you were too lax in enforcing security.

<aside> For an entertaining, yet informative and even frightening look at security issues, see "Why Your Security Investigation Is Going To Fail" (http://blogs.ittoolbox.com/security/investigator/archives/004288.asp). I especially like reason No. 4 - "Your support from management can be summed up as 'we need better coffee in the breakroom - can we let another security staffer go?' " </aside>

As FullArmor explains it, "Microsoft Windows provides three categories for assigning user privileges: local administrator, power user, and user. Since local administrator accounts have complete control to modify configurations and install software, a machine with these powerful capabilities could quickly bring down a network in the event of a malware or worm infection.

"To reduce security vulnerabilities associated with applications that require local administrator privilege to operate on Windows clients, IntelliPolicy for Clients allows IT departments to assign elevated rights to an application, but not to its users. This enables the application to function properly without exposing local administrator rights and management powers to business users."