Least Privilege = Least Risk = Least Cost. That’s right on Avecto’s website, and they’re totally right.
When you’ve got Avecto Privilege Guard on your Windows machines, your users are operating with a least privilege account and the privileges are assigned directly to the applications that require them.
It’s a great plan:your company is more secure when a privilege management product like Avecto Privilege Guard is in place, because users can’t act as Administrators anymore.
It’s a great first step toward getting your PCs and VDI more secure. But that plan is missing something.
The unfortunate truth is that Standard User accounts can still misconfigure the desktop, operating system (Control Panel), key applications (Flash, Acrobat, Java), or desktop and business applications you have.
Here’s the video to show you where using Avecto Privilege Guard is a great first step, and how PolicyPak goes the extra mile if you truly want a locked down and secure Windows:
Getting a “Least Privilege desktop” is great. But it simply doesn’t solve the big problems left after you transition to Standard User rights:
- How are you able to guarantee key application and operating system settings for users?
- How can you prevent users from messing up their apps?
- How can you ensure users won’t work around your important security and operating system settings?
- How can you re-apply key application and operating systems settings when users are disconnected from the network?
A “Least Privilege” solution like Avecto Privilege Guard doesn’t solve these issues. And that’s okay – that’s not the problem they’re trying to solve.
That’s why there’s PolicyPak.
Users of Avecto Privilege Guard will feel right at home with PolicyPak: both use Group Policy as the delivery for the settings, both use a Group Policy Client-side-extension and both use a GPMC snap-in.
PolicyPak prevents users from manipulating important settings, but also quietly reapplies misconfigured settings if a user or application happens to work around them.
In short, PolicyPak enhances your Avecto Privilege Guard investment. And PolicyPak protects your users from themselves.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
PolicyPak complements Avecto Privilege Guard Video Transcript
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP. In this video, I’m going to show you if you’re an Avecto Privilege Guard customer why you still need PolicyPak to really get true desktop security.
Let’s get started right away. As you can see here, I’m logged on as a regular user. His name is “EastSalesUser2.” The Privilege Guard stuff isn’t even enabled yet. I just want to show you what a regular user can do.
There’s nothing preventing a standard user from just clicking that on or going to “Security (Enhanced)” and unchecking “Enable Enhanced Security.” Again, a regular user can just do that, click “OK,” life goes on as perfectly normal.
Now one of the things that is also kind of interesting is that a lot of organizations want to keep the automatic updates turned off. PolicyPak can do that. We can dictate those settings. But when it comes to a product like Avecto Privilege Guard, what you may want to do is for most people leave it on the setting of “Do not download or install updates automatically” but use PolicyPak to dictate the setting of “Automatically install updates.”
The problem is that even if a user is granted this radio button and they click “OK,” well, they encounter this UAC prompt that they don’t have access to actually perform that function. Now that is what Avecto Privilege Guard is going to do for us. So, again, I’m going to show you a one-two combination.
The first thing I’m going to do is I’m going to show you how PolicyPak can deliver the correct settings in. Then the second thing I’m going to do is show you how Avecto Privilege Guard can deliver the right UAC credentials or the right privilege effect so that the UAC credentials are not going to be there.
To get started with this, I’m going to go to my Group Policy Management Station and against my “East Sales Users” I’m going to “Create a GPO.” I’m going to call this “Manage Acrobat using PolicyPak and Priv Guard.” Now, in fact, if you’ll notice I’m actually gearing up to do two things in this one Group Policy Object. That actually makes a lot of sense for this better together story.
The first thing we’re going to do under “PolicyPak/Applications” is we’re going to use one of our PreConfigured PolicyPaks, “New/Application” for “PolicyPak for Acrobat Reader X.” You can see we’ve got a whole lot of them here. In fact, we’ve got over 15, but these are the ones I’ve got set up for this demo.
Let’s go to that “Security (Enhanced).” We want to make sure that checkbox is always checked. While we’re here, we’ll go ahead and right click and also "Disable corresponding control in target application." We’re going to guarantee that checkbox is going to be checked.
Let’s go over to “Updater.” Now you can set using PolicyPak the default setting you want here. Let’s say, for instance, we want the default setting to be “Do not download or install updates automatically.” We’ll go ahead and just leave it as it is. We’ll set the setting to “Do not download or install updates automatically.” Let’s just see the PolicyPak part work. We’ll go ahead and click “OK.”
We’ll go over to our client machine, and we’ll run “gpupdate.” Again, no Privilege Guard stuff yet, just all PolicyPak for right now. We’ll go ahead and wait for this to finish. Of course, the user could just log on to a new machine and get this. Or if you’re using VDI, start up a new session. Or if you’re getting a new laptop or desktop or changing job roles, that is when you’re going to get this policy as soon as you log on. Let’s go ahead and as soon as this is done.
We’ll go ahead and run “gpupdate” here to get the latest greatest settings. Again, so far we’re just doing the PolicyPak part of this. We’ll do the better together story right after. I just want to make sure the PolicyPak part is doing its thing and we can understand what PolicyPak is doing here. We’re running GPUpdate here. We could also wait 90 minutes or so, or get a new machine, or log off and log back on, or use a new VDI session or change job roles. Anything where Group Policy updates, we’re going to get that setting.
Let’s go to “Security (Enhanced).” We’ve delivered the checkbox and guaranteed the user can’t check it. We’ve grayed out the setting, disabled it so the user can’t get around it.
Now remember we talked earlier about “Updater.” We just set the setting to “Do not download or install updates automatically.” PolicyPak did that. But if you want to grant your users the ability to install updates and you click “OK,” that’s the problem. This is where we get to begin our better together story with Avecto Privilege Guard.
Let me go ahead and close this off and go back to that very same Group Policy Object I had earlier. It’s over here on my management station. If I dive down under “Policies/Privilege Guard Policies,” I actually spent a little time and I can import the Privilege Guard policies that I pre-created for this demonstration. They’re right here.
In fact, I’ve got three things I want to show you today, but I don’t want to do all of them right now. I’ll go ahead and “Delete” that. That’s fine. The only one that I want to have enabled is “Allow Acrobat to Update.” I’m using Privilege Guard to allow Acrobat to update. Because it uses Group Policy just like PolicyPak, the very next time we run “gpupdate” or get a new system or change job roles or any Group Policy refresh event, we’re going to get that policy setting. Now that problem should go away.
What we’re about to see, PolicyPak deliver the settings and then Privilege Guard can elevate the rights because of privilege management. We’ll wait for that to finish real fast. There we go. We’ll run “Acrobat Reader X” here. We go to “Edit/Preferences…” here. Again, just to show you PolicyPak is still doing its thing on each of the settings that we set.
Now under “Updater” here’s where it gets cool. PolicyPak has delivered this setting. But now if we click on, say, for this particular user or collection of users “Automatically install updates,” now is where Avecto Privilege Guard kicks into high gear. When we click “OK,” we’re not going to see a UAC prompt. That’s exactly what we wanted to see.
That’s the first of three demos I wanted to show you in my better together story. The next one is actually about Flash. Let me go ahead and close this out here. Let me open up a browser here, and I want to show you a web page that’s kind of interesting. Let me go ahead and say “Yes” to all that here. OK, finally. Let me go ahead and close that. The next thing I want to show you is very interesting as well. Let me go to this web page called “www.testmycam.com.”
OK, so here’s the deal about “www.testmycam.com.” It’s actually able to use the Flash Player on your machine and a regular user – again, I’m just logged on as this guy “EastSalesUser2” – some regular guy who is a standard user can just click “Allow” and here I am on camera. You can see me right now through the Flash Player on this machine. I don't know what that space age scary stuff is over there, so let’s not get distracted by that. The point of the story is any regular low level standard user can just click “OK” and now possible company secrets are going through the camera or the microphone or both.
Now this isn’t something that Avecto Privilege Guard fixes. That’s not its job. This is where PolicyPak kicks in. Let me go ahead and close this off. We’ll dive back into my management station, and we’ll do another better together story. We’re going to say “Manage Flash Player using PolicyPak and Priv Guard.” So another better together story, two things that we can do with the same Group Policy Object.
We’ll go ahead and click “Edit…” here. We’ll do the PolicyPak stuff first. We’ll dive down under “PolicyPak/Applications/New/Application” and we’ll pick “PolicyPak for Flash Player.”
Now I’ve got a whole other video specifically for the Flash Player, but the thing we want to talk about for this example is “Block all sites from using the camera and microphone.” I’m going to go ahead and select this setting and then also force it so the user can’t work around it. I want to right click over and "Disable corresponding control in target application." I’m going to make these radio buttons gray out so the user can’t possibly screw it up.
In fact, I don’t even want them to mess with this button, so I’m going to right click over and "Disable corresponding control in target application" for that too. That’s totally gone.
Now let’s talk about the “Updater” function. Once again, you may choose to by default “Never check for updates.” Even though it says it’s not recommended – that’s Flash Player saying not recommended – maybe it is recommended. Maybe you have process that you have already in place to deploy Flash Player on a schedule, but some people you want to be able to perform the “Check Now” function. So we’ll leave that button there.
But this “Trusted Location Settings” button, we’re going to right click over that guy and we’re going to literally "Hide corresponding control in target application." The “Trusted Location Settings” actually allows a user to potentially bypass any of these settings and act as a developer. We don’t want them to do that, so we’re going to just get rid of that function all together.
Let’s just see the PolicyPak part work first. We’ll go ahead and go back to our machine here, our client machine. We’ll run “gpupdate,” and then we’re going to run Flash. Well, first and foremost, let’s see if it clobbered our camera, which is exactly what we told it to do. Let’s go ahead and do that first. OK, that’s all done.
Let’s go ahead and rerun and go back to “www.testmycam.com” and no camera. That’s exactly what we wanted. Also, this is still a Flash area and a user can right click over and go to “Settings” here and click “Allow.” Again, this is just a regular user here, and you can see that a regular user still has all these access rights here. We want to make sure that the thing that we don’t want them to do is being delivered, that setting is being delivered by PolicyPak and locking out.
Now this is a little tricky. The Flash Player window here kind of makes it look like it’s not blocking cameras. It makes it look like it’s asking me when a site wants to use the camera or microphone, but clearly it’s not. It’s actually being locked down, just the window because it’s grayed out or something doesn’t show that it’s being reflected. It is actually doing the thing we told it to do. PolicyPak is enforcing that setting.
Next, let’s go to “Advanced” here. See, we allowed users to go ahead and “Check Now.” We’ll come back to that in a second, but under “Developer Tools,” look. That button is completely gone.
You know, I meant to get rid of this dialogue box, the “Check Now” and “Never check for updates.” Let me go ahead and fix that. I didn’t mean to do that. Let me go ahead and fix that. It’s super easy to do. I’ll go back to “Advanced” here, right click and then "Disable corresponding control in target application." It’s just that easy. We’ll go ahead and "Disable corresponding control in target application,” and we’ll run “gpupdate” again because I forgot to do that. We’ll just wait for the five seconds it takes to do that.
Alright, now that that’s done, we’ll go back to “www.testmycam.com.” Sorry about that. Right click, go to “Global Settings…” and then, again, I’m just a regular user. Still none of the Privilege Guard stuff is engaged. It’s just all PolicyPak right here. If we go back to “Advanced,” I’ve now grayed out that dialogue box. It is definitely not going to check for updates. It’s definitely locked down to never checking for updates. Even though it’s not really showing, it really is.
As I said, for the “Developer Tools,” we’ve just obliterated that button so a user can’t scoot in and pretend that they’re a developer. But we did leave this “Check Now” button available to them, and that’s what I want to talk about now with our better together story with Privilege Guard. If I were to allow a user to go to the “Player Download Center” here and “Download now” the Flash Player update. I’m going to go ahead and hit “Save” here and “View Downloads.” Go ahead and do all that stuff that we’ve got to do here.
Alright, so now that it’s there, let me go to the “Downloads” location, and well you know what’s coming, right? This is a standard user. I’m just some guy, “EastSalesUser2.” If I try as a standard user to “Run” this application, UAC prompt. That might be what you want for some users, but you might also want to work around that for other users. That’s where Avecto Privilege Guard can help you.
Let me go ahead and leave this here. Let me go back to my management station over here. In the same Group Policy Object, “Manage Flash Player using PolicyPak and Priv Guard,” I’ll dive down under “Policies/Privilege Guard Policies.” Again, I’ve got a pre-created one that I created earlier today, “Import Privilege Guard Policies…” here. There we go.
The one that I want is the “Allow Flash to Update.” I’ll go ahead and “Delete” this guy and “Delete” this guy. “Allow Flash to Update” is the policy that I want now. We’ve got our PolicyPak policies delivering Flash Player stuff here. We have our Privilege Guard policies delivering the UAC elevated rights privileges there.
Now let’s go ahead and just run “gpupdate” on this machine. If all goes well, instead of a UAC prompt, Privilege Guard is going to enable updated rights for the user, and that user should be able to install Flash Player super easily. We’ll go ahead and watch that right now.
Now that that’s done, just go ahead and click on “install_flashplayer10ax_gtbd_aih.” Before we had a UAC prompt in our face. Now it’s bypassed, exactly what we expected. I’m going to go ahead and quit that here. We don’t need that, so we’ll go ahead and say “YES” we’re done with that.
That’s the general idea. PolicyPak has delivered the correct settings that are important for you in your environment. Users can’t work around them. But if you need to have elevated privileges, that’s exactly what Avecto Privilege Guard is all about.
Let me go ahead and close all this stuff out here. I guess I’m done there. Let’s go on to my third better together story. Let me show you this, which is regional options. I’m using “Region and Language” options as an application you might have. It could be a bigger, badder application. I just happen to be using Region and Language here.
There are a lot of things for users to mess up here, and that’s the perfect opportunity for PolicyPak to deliver settings, because it’s important for the user to get what you want them to get. For instance, I know this is a little out of the ordinary, but “First day of week,” this says “Sunday.” Maybe we want to make it “Tuesday” for all of our East Sales Users for some reason.
“Additional settings…,” there’s a lot of stuff for them to do here and to mess up and to screw up. Maybe we don’t want them to have access to that at all. Wouldn’t it be neat to be able to literally remove the UI so they can’t screw that up?
But let’s take a look under the “Keyboard and Languages” and “Administrative” tabs here. Notice how there are UAC prompt style buttons here. What happens if you click on one of these UAC style buttons? Well, you’re going to get a UAC prompt, because again I’m logged in as just a good old regular user. Let’s see if we can get our better together story again going with PolicyPak and Avecto Privilege Guard.
What we’re going to do, we’ll go back to our Group Policy Management Console here. We’ll “Create a GPO” called “Manage Regional Settings with PolicyPak and Priv Guard.” We’ll right click over it, click “Edit…” We’ll dive down under the user side and under “PolicyPak/Applications/New/Application.”
Let’s just do all the PolicyPak stuff first. We’ll go ahead and select “PolicyPak for Region and Language” options here. Again, this is not a pre-created one. I might make it available soon, but this one took me a whole five minutes to create in our PolicyPak Design Studio.
If I want to set the “First day of week” to “Tuesday” but then also right click and "Disable corresponding control in target application" again, what I am saying is that I’m not only setting the setting to Tuesday but again the user can’t work around this setting. There’s no way for them to click on this or to work around the setting.
This “Additional settings…” button, remember we saw all those settings that were available underneath the hood? Let’s make it so that the user just doesn’t even have access to that. We’ll just "Hide corresponding control in target application," really remove the UI.
Let’s go back to “Keyboard and Languages.” I don’t have it here, but this was a UAC prompt and that was a UAC prompt and this was a UAC prompt. Maybe you want them to be able to get into some of the UAC prompts but not others.
Like, for instance, this “Copy settings…” (under “Administrative” tab), maybe that’s a little too weird for them to get to. You can right click over that and, again, "Disable corresponding control in target application." This isn’t something that Avecto Privilege Guard can do. Only PolicyPak can do that.
We’ll go ahead and in the same GPO, we’ll dive down under “Policies/Privilege Guard Policies” and I’m going to “Import Privilege Guard Policies…” I’ve already got one pre-created just for this occasion. I’ll go ahead and “Delete” that one we don’t need, and I’ll “Delete” this other one we don’t need here.
I’ve got “Allow Regional Options UAC Bypass” for Privilege Guard. So a one-two combination. On the one hand, PolicyPak is going to deliver those settings like Tuesday and lock it down and remove the UI elements that users shouldn’t have access to. On the same GPO, we’re going to have Privilege Guard enable users to bypass the UAC prompt for Region and Language options.
Let’s check this out. With one “gpupdate” we’ll do both at the same time. We’ll just wait for this to finish, but again we know that as soon as we log on for the first time or the next time, or we get a new laptop, or we get a new VDI session or we’re logging onto a terminal server, any of those things, any event that causes Group Policy to update, that is when each, both PolicyPak policies and Privilege Guard policies, kick into high gear.
We’ll go ahead and now run “Region and Language” options. Hey, look, exactly what we expected. PolicyPak has delivered the “First day of week” as “Tuesday,” just as we expected here.
Let’s go over to “Administrative.” Cool. We’ve grayed out that weird “Copy settings…” button. Even though the user is elevated using Avecto Privilege Guard, there’s still no way for them to select this item. Let’s think about that. The user is now running as an admin here, because if they click on this guy, for instance, they no longer get the UAC prompt. So we know they’re running as an admin.
But what PolicyPak does is that it actually delivers the setting underneath the hood as we saw here, “First day of week” “Tuesday,” but also grays out or literally removes the UI from portions of the application. In fact, the application has a button here that’s called “Additional settings…” that’s just completely absent because we removed it, PolicyPak removed it. That is another awesome better together story.
Let’s make sure we got it straight. PolicyPak delivers settings, locks down the UI. Avecto Privilege Guard enables you to enhance the user experience by allowing them under certain circumstances to bypass the UAC prompts and get elevated rights even when they’re running as a standard user as we are here.
If you’re ready to try your own better together story using PolicyPak, well, we’re here for you. Just click on the big old download button on the right or select to join us at our next webinar and learn more about PolicyPak. That’s how you get the PolicyPak downloadable.
Thank you very much for watching. Remember, with PolicyPak what you set is what you get. Thanks so much.