Avecto Blog

UAC is a user driven approach to least privilege, in that users make the decision on whether an application should run with administrative rights. Privilege Guard, on the other hand, takes a policy driven approach, where the IT department has complete control over which applications run with administrative rights. It is tightly integrated with Active Directory Group Policy, so no additional backend infrastructure is required to deploy Privilege Guard policies.

2. Standard User Account

UAC requires the user to either logon with a local administrator account or to have access to a local administrator account, which gives the user too much control, leading to deliberate or accidental misuse of these privileges. Privilege Guard enables all users to logon with standard user accounts, as elevated rights are assigned directly to the applications that require them, without the user requiring access to a local administrator account.

3. Granular Privilege Control

UAC can only assign full administrative rights to an application, whereas Privilege Guard can assign granular privileges to individual applications, including, but not limited to, full administrative rights. With Privilege Guard, custom access tokens may be defined, enabling granular control over the groups, privileges and integrity level within an access token. 

4. Privilege Inheritance

Once an application is assigned administrative rights with UAC, all child processes of that application will automatically inherit those rights, and there is no way to override this behavior. In Privilege Guard, privilege inheritance may be defined on a per application basis, ensuring privileges are only inherited where it is absolutely necessary. In addition, Privilege Guard will force standard user rights on the common file dialog that many applications utilize to allow a user to open or save files. This dialog has full explorer capabilities, so it is important to revoke administrative rights from this dialog, to ensure that deliberate or inadvertent modification of files in restricted operating system and application directories is not possible.

5. On Demand Elevation

Although UAC does provide an on demand elevation facility through the “Run as administrator” shell context menu, the requirement for a user to have an administrator password makes this facility inappropriate for most corporate users, with the exception of real system administrators. Privilege Guard enables a custom shell menu item to be defined, which may be applied to all or selected applications. This on demand facility functions under a standard user account, without the need for an administrator password. In addition, the user may be prompted with a custom message and optionally be asked to provide a reason for their actions, which is audited. Users can also be forced to re-authenticate before elevating an application, providing an extra level of security and discouraging a nonchalant attitude.

6. Application Support

UAC may be invoked for executables and installer packages, either because an application is deemed to require administrative rights, or the user has launched the application via “Run as administrator”. In addition to executables and installers, Privilege Guard can also manage the privileges assigned to individual scripts, including batch files, WSH scripts and PowerShell scripts. For more advanced users, Privilege Guard can elevate management console snap-ins, without giving the user elevated rights over the entire MMC. Privilege Guard can also handle the installation of authorized ActiveX controls.

7. Auditing

An important aspect of Privilege Guard is the ability to provide a comprehensive audit trail of each user’s actions. This audit trail may be vital to satisfy regulatory or internal compliance initiatives. Privilege Guard logs detailed application and policy information, including the end user’s reason for elevating an application, where applicable.

8. Privilege Monitoring 

Privilege Guard includes a privilege monitoring capability, which may be used to discover any applications that require elevated rights to function. This capability is often used in the pilot phase of a least privilege project to identify the applications that need administrative rights to run. Once identified, applications may then be added to Privilege Guard policies, enabling these applications to function under a standard user account, without the need for user intervention. Privilege Monitoring may also be used in a live environment to provide application forensics of all privileged operations, including details of access to the file system, registry, kernel objects and interaction with system services.

9. Custom End User Messaging

The end user experience is often over-looked, and yet this can be crucial if a least privilege environment is to be accepted by the user community. Unlike UAC, which shows a fixed message, Privilege Guard provides a fully customizable messaging facility, enabling any number of custom messages to be defined. The IT department has full control over when a message should be displayed, whether a user should be forced to re-authenticate and whether they should be asked to provide a reason for their actions. All of the text in these messages may be customized, including full multi-lingual support. It is also possible to block a user from running a privileged or unauthorized application, and in this scenario the user can be provided with the ability to email a request to the help desk to run the blocked application.

10. Supported Platforms

Although many organizations are looking to make the move to Windows 7, other versions of Windows, such as XP and Vista, will continue to be prevalent for many years. Privilege Guard provides the same capabilities across all Windows platforms, making it possible to implement the same solution in mixed environments, and take the solution forward to during a Windows 7 migration.

UAC and Privilege Guard Comparison

Few people would argue that implementing least privilege provides considerable security benefits, as removing admin rights eliminates the accidental or deliberate misuse of these privileges. It is also well documented that running under least privilege dramatically decreases the risks posed by malware, as many exploits rely on the user having admin rights for the payload to have the most devastating effect.

In addition to the security benefits of least privilege there are also many operational benefits, as the cost of supporting the corporate desktop is dramatically reduced when the desktop is in a locked and well managed state. However, least privilege does bring its own set of operational challenges, which is why many organizations have struggled to embrace it. Click here to read more »

Solutions that provide whitelisting of applications or control the behavior of applications need to provide the administrator with a set of rules that can be used to precisely identify applications. The most common types of rule will check the file name or certain attributes of the file, as these rules are relatively simple to maintain, and in most circumstances will provide adequate protection, assuming a least privilege approach is in place, where users can’t tamper with application files.

However, sometimes it is necessary to check the integrity of a file, and therefore most good application control solutions should provide additional capabilities for this purpose. In particular, you should expect a solution to provide support for both trusted publishers and file hashing. Click here to read more »

As a new software release leaves the building, it seemed an opportune time to start blogging, not to plug the release of course, click here. Alright, I’m allowed one shameless plug in my first blog given the team have worked so hard on this release. But seriously, I’m hoping that my blog will become a balance between sharing my experience in the system management space, with a bias towards least privilege, and providing valuable insights into the Privilege Guard product.

I’ve never made the time to blog, but I’m going to make a special effort now, so I suppose we’ll see how it goes. I took the plunge with twitter a few months ago, and although I started well, my tweets fell off as the self-imposed pressures of a new software release mounted. Anyway, enough of the excuses and on with my first blog, and of course there will be a twitter link to this blog, so my tweets will be reborn too! Click here to read more »