You’ve probably seen the Apple ads with the characters Mac and PC. One of my favorites is the episode called “Security,” where a Secret Service-type guy stands behind PC and intercepts every message between Mac and PC. His main line is “Cancel or allow,” and he says it often. PC explains to Mac that the guy is part of his new Vista operating system security and he is there to verify authorization for pretty much everything PC wants to do. The guy is really annoying, but PC is hesitant to get rid of him because that defeats the purpose of having security built into Vista.

It’s a creative ad, and unfortunately it hits quite close to home. Customers who have implemented or tested Vista’s User Account Control (UAC) feature can really relate to the ad. Security can get in your face if you let it.

UAC is meant to control how individuals use their PCs and what applications and Web sites they can access. This feature allows an administrator to set privileges by identifying a person as either a “standard user” or an “administrator.” When a person is set as a standard user and he tries to install or run an application that requires administrator privileges, a warning window pops up to tell the user he is doing something potentially dangerous, but he can still cancel or allow the action. It’s sort of security by intimidation, but it’s still riddled with holes, especially considering managed networks. Why is the user making the decision? What happens if the user allows the action, and it ends up installing malware on his computer? Or even worse, what if it is a malicious user making the decisions?

UAC might be OK for the small office/home office environment, but it’s simply not robust enough for the enterprise. Organizations with many users will want a solution to manage user privileges in a way that is less obtrusive and more bulletproof. And there’s one other obvious shortcoming of UAC: it only supports Windows Vista. Companies that have not yet migrated to Vista must look to third party products to control user privileges.

I talked with Keith Brown, network administrator for Gwinnett Medical Center, about how he controls user privileges for his community of about 6,000 end users. Since 2005, Brown’s organization has been using Privilege Manager from BeyondTrust, which used to be known as PolicyMaker Application Security from DesktopStandard. In October 2006, Microsoft bought DesktopStandard, but the PMAS product was spun off into the new company, BeyondTrust.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.