Protection Manager tool helps admins control user privileges

Although mechanisms exist for doing this in Windows, they are close-ended: You can either do something or you can't. It's difficult to carve out exceptions or grant one-time allowances for something.

A third-party solution to this problem is Winternals Protection Manager. This application allows an administrator to define much more precise and controlled parameters for how users and groups of users can (or can't) do things with applications.

Each program can be given one of four levels of control: deny, run as limited user, run as administrator or allow normally. The "deny" function doesn't rely on the type of blacklisting/application-image hashing technique used by Group Policy; if told to do so, it will block anything not specifically authorized by the administrator. (You can use hashes, filenames,

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Systems and Network Management Tools and Techniques Top five Server Core management tips for Windows 2008 Top free tools for Windows server administration A first look at Internet Information Services 7.0 Windows registry hack improves offline file access for mobile users Reducing the size of network backups in Windows Monitor network bandwidth with CyberGauge How to format NTFS: More tricks to improve file system performance Key enhancements to SCCM give admins more control over assets, licensing Archiving information with New-Item in Windows PowerShell Debugging Userenv issues using Windows new event viewer Windows Systems and Network Administration Common causes of Windows server security vulnerabilities Cutting the cost of Windows identity and access management Using NTFS on a non-Windows OS with NTFS-3G Group Policy Object modeling simplifies network security Implementing simple Network Access Protection for Windows Server 2008 Immediate steps for Windows disaster recovery Tips for Windows domain controller optimization Quick hits: Troubleshooting service account failure, batch job execution Case Study: Troubleshooting Windows service dependency failures Troubleshooting common Windows service failures

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

owners or other methods to define allowed files.) This approach offers an auxiliary benefit: Since any application that isn't specifically allowed can be restricted, viruses and spyware have that much more difficulty getting a toehold.

Another key feature that isn't supported in Windows by default is the ability to get "run-time requests for permission." A user can attempt to launch an application, and if it's denied, they can petition an administrator to grant them the right to do so, immediately, without having their security policy rewritten. Admins can also "harvest" running applications from systems to see what people are using, and then build their restriction policies from that information. That way they can use real-time data and not guesswork or manually tabulated lists to get a handle on things.

A free evaluation version of the product, which runs totally unrestricted for 30 days, is available. Pricing varies based on the number of seats and servers needed, but a sample quoted price for one server and 25 workstations is $1100.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

More information from SearchWinSystems.com

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.