Avecto Privilege Guard 2.8
Strengths: Simple to deploy and manage, integrates neatly with Windows Group Policy, low footprint agent, can manage privilege elevation for most Windows apps and processes
Weaknesses: No centralised logging and basic reporting
Verdict: Avecto enables LUA security in the workplace with a simple solution that’s easy to deploy and configure
Despite the obvious security benefits, applying the principles of least-privilege user access (LUA) to Windows users can be complex and costly for enterprises. Avecto's Privilege Guard aims to make LUA a reality with a policy-driven solution that's simple to deploy and manage.
Avecto's solution is to deploy a small agent on each system that allows it to dynamically elevate and demote privileges for specific Windows applications, scripts, tasks and software installers. The whole process can be transparent and Privilege Guard snaps into Windows Group Policy to provide centralised management.
Installation is swift as the management console installs as an extension to Windows Group Policy, allowing it to integrate with Active Directory. We installed the agent manually on our test Windows 7 clients, but MSI packages are also provided for deployment using third-party distribution tools.
Privilege Guard 2.8's new features include its anti-tampering option. Policy enforcement is carried out using access tokens and it now defaults to blocking privileged processes from interfering with agent-related files, services and registry settings or the agent's policy cache.
The management console is accessed directly from the Group Policy Editor, and this has also been spruced up to provide easier access to all policy functions. You start by creating and populating application groups which define what you want to control user access privileges for. The process is wizard-driven and, after specifying the executable file, you can add matching rules.
Matching rules are extensive and can include a filename and folder, a specific location, publisher, command line pattern match, version, file hash and more. Usefully, rules can be applied to the Windows UAC, so if this is triggered, you can replace the standard elevation request prompt with a custom Privilege Guard message and action.
Privilege Guard can manage access to Windows and PowerShell scripts, management console snap-ins, Control Panel applets, Windows installer packages, ActiveX controls, registry setting files and running processes. Avecto includes a heap of templates for common Windows applications. New to this version are more templates for printer driver vendors, web downloaders, plus apps and more ActiveX controls.
Administrative privileges are controlled using access tokens, and four are provided as standard to elevate, demote, do nothing or enforce a user's default rights. You can create custom tokens for adding or removing privileges for a particular application group.
Policies link application groups with AD users and groups, and can apply actions and present end-users with messages. For the latter, you can choose whether to advise a user that their privileges have been changed or application execution blocked.
When user privileges have been elevated, you can generate a custom message with hyperlinks. You can also use messages to present users with a dialogue box asking for a reason for running an application or process that needs elevated privileges.
Security has been tightened up as all policies are now digitally signed to ensure they haven't been tampered with. Audits are more detailed and an extra installation mode ensures agents only accept valid policies or warn when unsigned policies are pushed to them. Within each policy, you can also choose the level of application logging, the number of event activity records to store and the length of time for which the log is retained. For reporting, each agent sends all events to the Windows application event log, and an MMC snap-in allows access to these details locally and remotely.
This is the weakest part of Privilege Guard 2.8 as the console is designed only to view the logs on one system, and you will need to add the snap-in to the console for every system you want to view. Other alternatives are to use scripting or an event forwarder to send logs to a central location.
Privilege Guard doesn't provide any built-in facilities for policy backup, but this can be achieved with a standard backup product. Policies are stored in the AD domain controller's sysvol folder, so running a system-state backup will secure them. Policies can also be copied to another location by exporting them from the Group Policy Editor as XML files, but this is a manual process.
This is a simple solution for implementing and managing an LUA-based security strategy for Windows users. Reporting and auditing are basic, but it's capable of handling privilege elevation for virtually any app or process, and integration with AD and Group Policy makes it easy to deploy.