British firm Avecto has updated its admin management tool known as Privilege Guard that helps organisations safely deal with applications that usually require administrator privileges in order to function.

"Many organisations want to remove local admin rights from their users, but don't know where to start, as they are unsure of why users require a privileged account", said Mark Austin, CTO at Manchester, UK-based Avecto.

"The problem with both large or even small organisations is often the applications themselves," Austin told Techworld. "There are lots of legacy applications out there which organisations are still reliant upon, but these applications are often written in a such way that they need administrator rights to function properly."

"Therefore the end user has to be granted administrator rights, and once they are granted, they can change configurations, plus there are security concerns from malware etc."

"Previously there has been no solution to this problem, but Privilege Guard allows the end user to be assigned standard access rights, and instead assigns the appropriate administrator rights to the applications themselves." Austin said that Privilege Guard is currently only available on Microsoft Windows platforms from XP upwards.

"We don't need to understand the way the application behaves in order to grant it administrator privileges," he said. "Privilege Guard basically assigns all the privileges that the administrator has to an access token of a process as it launches. At that point, the application is running, and we don't need to modify it in any way once it is running."

With Microsoft Windows, when a user logs on, an access token is created for that user which contains all the privileges assigned, and any groups they are members of. "Without our product, that access token is created and is automatically assigned to every process that starts for that user," said Austin. "Privilege Guard intercepts processes as they start and if it isn't an application that is part of our product policy we assign a modified version of the system access token to the process, contain all the privileges that the administrator has."

"This is seamless to the end user," he said. "And it is integrated with Active Directory policies, and supports Novell Zenworks through group policy. This means that no back-end infrastructure is needed to deploy this across the enterprise."