David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
Tool to modify UAC behaviour in Vista using Group Policy - BeyondTrust Privilege Manager

imageI am one of those people who always leaves UAC enabled - I like to see when something (*cough* - Adobe Update - *cough*) wants to execute with admin privilege on my system and then get the choice as to whether to allow it or not.  However, not everyone likes the choices that are presented by default with the GPOs (Group Policy Objects). Coming to the rescue are tools to help enhance these offerings, such as the Privilege Manager from BeyondTrust.  Sometimes people forget that Microsoft is a platform for others to build on and this is no different.  Their product enables pre-defining the responses to UAC based on a number of variables.  While I have NOT tried the product, it is getting good reviews.  You can however download an eval copy for free if you so desire.

One thing to bear in mind is that when a tool like this is used, you weaken security - why, well, even if you use a SHA1 hash to work out if an application is safe or not, a clever hacker will use plugins, dll's etc to attack that product - it does not have to have the main .exe file to breach the security and once they are in, they are in.

You can find out more about Privilege Manager from the FAQ at BeyondTrust | Privilege Manager FAQ, however a short snippet is below (which I have cut around, so there is much more under each section):

Applications are targeted on the Application tab, which allows you to specify an application by one of several criteria. This includes:

  • Path to an executable file

    • supports wildcards and environment variables

  • Folder of one or more executable files

    • including wildcards and environment variables

  • Hash rule

    • SHA1 hash of the targeted executable file

  • MSI Path rule

    • target Windows Installer installation of specified packages

  • MSI Folder rule

  • ActiveX rule

My gift to those of you who are UAC challenged :-)

 

ttfn

David

Technorati Tags: , , ,

Posted Thu, Aug 30 2007 1:46 PM by David Overton

Comments

AdamV wrote re: Tool to modify UAC behaviour in Vista using Group Policy - BeyondTrust Privilege Manager
on Fri, Aug 31 2007 3:51 PM

I too leave UAC on - if for no other reason than getting to eat the same dog food as most of my clients. When they call, I understand their experience better. Personally I find it helps remind me of those things I am trying to do where I really needed to use runas but forgot. Better than just failing and starting again.

And the Adobe updater prompt was just one of the reasons I got fed up and moved to using Foxit reader for pdf's: preview.tinyurl.com/2kjuy6

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-18