Windows

Tame Vista's User Account Control with BeyondTrust Privilege Manager

You can use TweakUAC to disable the Vista User Account Control (UAC) prompts while leaving its protection intact. TweakUAC is a boon to users of standalone and peer-to-peer networked Windows Vista systems, but it isn't a feasible solution in a domain environment. In this edition of the Windows Vista Report, Greg Shultz introduces you to BeyondTrust Privilege Manager, an alternative for dealing with UAC in the enterprise.

You can use TweakUAC to disable the Vista User Account Control (UAC) prompts while leaving its protection intact. TweakUAC is a boon to users of standalone and peer-to-peer networked Windows Vista systems, but it isn't a feasible solution in a domain environment.

In this edition of the Windows Vista Report, I'll introduce you to BeyondTrust Privilege Manager, an alternative for dealing with UAC in the enterprise.

Microsoft's endorsement of Privilege Manager

Microsoft has put a great deal of time and effort into creating UAC and convincing users and administrators to use it while tolerating the prompts for the sake of security. So it may seem odd that Microsoft is endorsing a product seemingly designed to circumvent UAC. However, it makes sense once you understand that, like TweakUAC, Privilege Manager simply removes the prompts while leaving all of the security provided by UAC in place.

This quote from Austin Wilson, Director of Windows Client Security Product Management at Microsoft, appeared in the press release announcing Privilege Manager 3.5 and its support for Vista's UAC:

"Microsoft recognizes that to help create a secure, auditable and compliant enterprise environment all users should be Standard Users and ideally not have administrative privileges or access to administrator passwords. BeyondTrust Privilege Manager helps corporations that need to allow standard users to run applications that require administrative privileges on Windows Vista with UAC enabled without any prompts or input required from the user. I am pleased to see third-party security vendors such as BeyondTrust improve what is already our most secure business client OS, Windows Vista. The combination of elevating approved applications transparently with Privilege Manager and running UAC in no prompt mode with Internet Explorer in protected mode provides a best of breed solution to the least privilege problem."

You may read between the lines and assume that this endorsement is Microsoft's way of admitting that UAC was a mistake, but I'm not sure that it is. I think it's Microsoft's way of recognizing an innovative approach to working around a side effect of UAC's goal of improving Vista's security.

How Privilege Manager works

Privilege Manager works through Group Policy, allowing administrators to use security policies to control how and when UAC operates. By using Privilege Manager and Group Policy, you can decide which application or operation to authorize and when to elevate privileges. This happens behind the scenes, so to speak, without the UAC prompt and without the end user being aware that anything out of the ordinary is occurring. All of the security features the UAC provides are still in place, protecting the system from inadvertent or malicious activity.

By design, Privilege Manager provides Least Privilege Management solutions to pre-Vista Windows networks, so you can use Privilege Manager 3.5 in a mixed environment of Vista, Windows XP, and even Windows 2000 systems. With Vista and UAC, Privilege Manager-configured policies go to work before the UAC dialog box appears. With Windows XP and Windows 2000, such policies automatically elevate privileges for any authorized activity.

Demos and purchasing information

If you're interested in learning more about Privilege Manager 3.5 or any other offerings from BeyondTrust, check out the online demonstrations and Webinars on BeyondTrust's Events page. Pricing for Privilege Manager starts at $30 per seat. You can also investigate the Free Evaluation version.

Do you think Privilege Manager is right for you?

Do you think it's likely that you'll download Privilege Manager 3.5? Post your thoughts in this article's discussion.

Don't miss a thing!

Delivered each Friday, TechRepublic's Windows Vista Report newsletter features tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

8 comments
PersonalComputer2010
PersonalComputer2010

A better tool has been released it's called UAC Controller Tool v1.0 and works perfectly for Windows 7. It's easy to use and supports tray area icon. *Works only under Windows 7. However, I suggest this tool.

Tony Hopkinson
Tony Hopkinson

I get probably three nags a day, I mean it's not worthe the effort is it.

rick@Hogans-Systems.com
rick@Hogans-Systems.com

I hear they have some job openings for people who are willing to work for free. Maybe you guys should apply? :P Rick

wcollens
wcollens

Definitely would use it ... if it was free

FilipVW
FilipVW

Although I believe that BeyondTrust did a good job on this product, I feel that this kind of policy based 'plug-in' for UAC, should be included in Vista... at no extra cost. Isn't this something we could expect from MS in Vista SP1 ?

info
info

I agree these UAC control features should integrated at no extra cost at minimum. MS should assure our protection but we should manage the levels. Vista is great but man are we paying for this. My customers are getting into trouble already with Vista not understanding what is going on.

mjlwaimea
mjlwaimea

That annoying UAC can be turned off in system configuration, which can be accessed by using the 'run' function, "sysconfig", or follow: control panel>administrative tools>system configuration>Tools and disable it. I personally gave up on Vista about six months ago, and taking into consideration the mixed reports of its effectiveness I doubt I will be back until SP2. What is going on at Microsoft???

noemib
noemib

Completely agree with filip.v.... Microsoft is endorsing a product that will be used to circumvent their own and we have to pay for it??? Come on....