Winternals software aims to protect desktops

Winternals last week released software that lets users tighten down desktop security by controlling user administrative rights on an application-by-application basis.

With Protection Manager, users get all the benefits of the much-anticipated User Account Control feature Microsoft is including in Vista when it ships later this year, but the Winternals software will be compatible with older versions of the operating system. Protection Manager also blocks all unauthorized executables from running.

With Windows today, users have desktop privileges that are so crippled they can perform only a handful of functions beyond normal operation, or they have administrative rights on their desktops, which lets them – and any malicious code – do just about anything, including writing to the registry.

Many applications, however, require the desktop to be set for administrative rights so they can execute properly. Microsoft estimates that as many as 80% of Windows users run in administrative mode.

“We were having to rebuild desktops every three to four months to clear off spyware,” says Robert Guidarini, IT manager for Clear Channel Communications, which owns 1,200 radio stations nationwide. Guidarini manages nearly 100 desktops in Clear Channel’s Minneapolis office that he says need to be set for administrative rights for applications to run. Because disk jockeys and other staff are using those computers to work online and offline, Guidarini has installed Protection Manager, which lets him set administrative rights that allow only in-house and legacy applications to run.

“These machines are mission-critical,” Guidarini says. “If our on-air delivery computer goes down because Joe Bob installed a program he found on the Internet, we could lose upwards of $100,000 an hour.”

Protection Manager is similar to products from AppSense, SecureWave and WebSense. In addition, vendors such as FullArmor and Desktop Standard offer extensions to Microsoft’s Group Policy technology that let IT staff limit local administrative rights.

“We think there is a gap in Group Policy, because you can’t elevate or reduce rights for applications,” says Wes Miller, product manager at Winternals. “And we enable zero-day control of all applications that can run on Windows.” That control complements other security software, Miller says, because it can be used to block malicious code from running before virus signatures are updated.

Protection Manager is installed on a central server and works using desktop agents that intercept applications before they execute and then checks them against a set of policies that dictate whether they can run and with what desktop privileges. Administrators configure File Sets using the Protection Manager console.

File Sets, which are lists of applications, are then assigned one of four roles: deny execution, allow to execute with administrative privileges when required, allow to execute with limited user privileges and allow to execute normally.

The console lets users delegate role creation to a number of administrators, who can be contacted by users via a real-time communication channel to request role changes. The software agent pulls updated information from the server each time a new application tries to execute. If the application is not in a File Set, it is not allowed to execute. Protection Manager also reports on every application that tries to execute on the desktop, including malicious software.

Protection Manager supports Windows 2000, XP and Windows Server 2003 computers. The Protection Manager administrative console is $69. Agents to protect servers are priced starting at $250; client agents are $25 per computer.