by January 31, 2013 0 comments

PowerBroker is a solution from BeyondTrust for privilege management and application control on physical and virtual Windows desktops and servers. By leveraging Active Directory and Group Policy, PowerBroker tries to eliminate administrator privileges, allowing users to run as standard users and give granular control over the applications a user can/can’t launch on his desktop.

BeyondTrust suggests that for a secure and compliant Windows environment, end users must not be granted local administrator or even power user privileges. Certain applications require elevated privileges in order to run and many users often need the ability to manage certain elements of the system; installing printers, changing network settings, or installing approved software.

Granting users additional privileges is not the optimal solution. So, what PowerBroker does is to assign only the required privileges to specific applications, rather than giving those privileges to the user. This enables businesses to adopt the best practice of “least privilege” to improve their security and malware resistance without impacting the user’s productivity to perform different tasks. Removing administrator rights from users mitigated nearly 80% of the Microsoft vulnerabilities disclosed in 2011, according to the Microsoft vulnerability database. PowerBroker’s whitelisting and blacklisting technology allows you to specify which applications are permitted to run (or which are not) using a GUI.

PowerBroker facilitates silent discovery of applications that require elevated privileges and automatic generation of a set of rules to ensure those applications are granted the appropriate rights. A cut-and-paste operation allows one to deploy these rules, and then safely remove administrative rights from users without any visible change. There is also PowerBroker DLP, a DLP solution for physical, virtual, and mobile devices. It leverages artificial intelligence to simplify DLP deployment.

With PowerBroker for Windows, organizations control the execution of applications, software installs, ActiveX controls, and system tasks that require elevated or administrative privileges. Policies in PowerBroker are applied by creating rules in the familiar Group Policy Editor. Users, groups, and individual devices are targeted using Group Policy. Thus, by setting PowerBroker policies, end-users without administrative privileges are able to run the applications that admins choose. Users can request for a free trial from

Innovative approach, has pitfalls though

But the products are not without their pitfalls although the approach is innovative and is used by many large organizations. At the time of writing, Windows 8 was not listed as a supported platform for PowerBroker. In addition, it is a known fact that on a Windows XP machine, the built-in Administrator user account (which is hidden in normal startups of the machine) has no associated password protecting it by default and all it takes is someone to switch to Safe Mode while booting up the PC to gain access to this account assuming the account hasn’t yet been protected with a password.

When we discussed this with Brian Chappell, Director of Sales Engineering, BeyondTrust, it was unclear as to whether the agent installed by PowerBroker which monitors the running application’s privileges would still work in Safe Mode, in the absence of which an attacker would be able to bypass the security provided by PowerBroker (and possibly use a network too in case Safe Mode with Networking has been selected and connectivity is available).

The DLP solution offered does detect movement and copying of partial data and BeyondTrust did actually demonstrate this at their India roadshow in Mumbai but it cannot prevent screenshots. This means that in case a confidential document or some copyrighted charts/research graphs are currently being displayed on the screen, they can still be copied elsewhere atleast in the form of images if not directly in the form of editable text. To this, Chappell stated that documents holding confidential data are typically several pages long and taking screenshots of several pages isn’t commonplace.

He also stated that the DLP solution is designed to analyze the behaviour of movement of data both within the filesystem as well as within the network for a given user and can detect obvious changes from the same. In addition, it was also not very clear as to whether the DLP solution can detect data being transferred in the form of encrypted/password-protected compressed archives.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.