British firm Avecto has updated its admin management tool known as Privilege Guard that helps organisations safely deal with applications that usually require administrator privileges in order to function.

"Many organisations want to remove local admin rights from their users, but don't know where to start, as they are unsure of why users require a privileged account", said Mark Austin, CTO at Manchester, UK-based Avecto.

"The problem with both large or even small organisations is often the applications themselves," Austin told Techworld. "There are lots of legacy applications out there which organisations are still reliant upon, but these applications are often written in a such way that they need administrator rights to function properly."

"Therefore the end user has to be granted administrator rights, and once they are granted, they can change configurations, plus there are security concerns from malware etc."

"Previously there has been no solution to this problem, but Privilege Guard allows the end user to be assigned standard access rights, and instead assigns the appropriate administrator rights to the applications themselves." Austin said that Privilege Guard is currently only available on Microsoft Windows platforms from XP upwards.

"We don't need to understand the way the application behaves in order to grant it administrator privileges," he said. "Privilege Guard basically assigns all the privileges that the administrator has to an access token of a process as it launches. At that point, the application is running, and we don't need to modify it in any way once it is running."

With Microsoft Windows, when a user logs on, an access token is created for that user which contains all the privileges assigned, and any groups they are members of. "Without our product, that access token is created and is automatically assigned to every process that starts for that user," said Austin. "Privilege Guard intercepts processes as they start and if it isn't an application that is part of our product policy we assign a modified version of the system access token to the process, contain all the privileges that the administrator has."

"This is seamless to the end user," he said. "And it is integrated with Active Directory policies, and supports Novell Zenworks through group policy. This means that no back-end infrastructure is needed to deploy this across the enterprise."

One of the main features of version 2.1 of Privilege Guard is what Avecto is calling the Privilege Monitoring capability. "Companies typically fall into two camps on administrator rights," said Austin. "One camp understands why their end users have been granted administrator rights, and for that camp using our product it is usually straight forward."

"The other camp however is organisations where the end users have administrator rights, but they don't know why," he said. "The challenge here is to ID those applications that need elevated privileges. Privilege Monitoring is a feature that allows you to deploy our client out to the desktop in passive mode."

"It will monitor the behaviour of applications and log events for any application that would fail to function correctly under a standard user account," he said. "We can also collect detailed activity reports on each application, to understand exactly why each application needs admin right to function, such as file activity, registry activity, interaction with kernal objects etc. Once it has captured this information, it assists you in designing policy to ellivate specific applications that have been identified. Once done, you can remove the user from the local admin group."

List price for Privilege Guard is £20 ($33) per desktop, but volume discounts apply. An evalution copy can be downloaded here.