If you’re working toward a “least privilege” solution, then you’ve likely investigated BeyondTrust’s PowerBroker Desktops Windows Edition (formerly Privilege Manager). The goal is simple: have your users run as Standard Users, and stop running with Administrator privileges, and have BeyondTrust’s PowerBroker elevate the application and operating system only when needed.
It’s a great plan: you are more secure with a privilege management tool like BeyondTrust’s PowerBroker Desktops Windows Edition (formerly Privilege Manager) because you’ve made the commitment to run users with Standard User rights instead of with Administrative rights. Excellent!
But that plan is missing something. A big something.
Standard Users can still misconfigure and damage the operating system and Control Panel, key applications (Flash, Acrobat, Java), or any other business applications you’ve provided them.
Here’s the video to show you how BeyondTrust PowerBroker and PolicyPak can work together to truly lock down and secure Windows:
Getting a “Least Privilege desktop” is great. But it simply doesn’t solve the big problems left after you transition to Standard User rights:
- How are you able to guarantee key application and operating system settings for users?
- How can you prevent users from messing up their apps?
- How can you ensure users won’t work around your important security and operating system settings?
- How can you re-apply key application and operating systems settings when users are disconnected from the network?
A “Least Privilege” solution doesn’t solve these issues.
Only PolicyPak does.
Users of BeyondTrust PowerBroker Desktops Windows Edition (formerly Privilege Manager) will feel right at home with PolicyPak: both use Group Policy as the delivery for the settings, both use a Group Policy Client-side-extension and both use a GPMC snap-in.
PolicyPak prevents users from manipulating important settings, but also quietly reapplies misconfigured settings if a user or application happens to work around them.
In short, PolicyPak enhances your BeyondTrust investment. And PolicyPak protects your users from themselves.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
Policy Pak enhances BeyondTrust PowerBroker Video Transcript
Hi, this is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you why you need PolicyPak even if you’re already using PowerBroker Desktops Windows Edition, formerly BeyondTrust and Desktop Standard’s Privilege Manager utility.
First things first, I’m running as a standard user here. I don’t even have the PowerBroker Desktops stuff engaged at this point. I’m just running as a regular user.
Or they can click on “Security (Enhanced),” and they can uncheck this “Enable Enhanced Security” thing and then click “OK.” As soon as you click “OK,” that’s it. They’ve done it. They’re a standard user, and they’ve done just that. That’s not good. You definitely don’t want users to be able to do that sort of thing.
Another big problem you might have is with the “Updater.” A lot of people look toward a privileged management product like BeyondTrust PowerBroker Desktops Windows Edition so that they can control the user’s ability to, in fact, install their own updates.
Now you’ll see here that if a user clicks on “Automatically install updates,” they’re going to get the “User Account Control” prompt. That’s the kind of thing that PowerBroker Desktops Windows Edition can help you with, and that’s not what we do at PolicyPak. We’re going to show you both sides of the coin.
Let’s go ahead and take care of that problem first. Let’s do one at a time. We’ve got three very cool examples, so we’ll do one at a time. Let’s go over to our Group Policy Management Console here. The first thing we want to do is we’re going to “Create a GPO” here and call this “Manage Acrobat Using Group Policy and PolicyPak and Powerbroker.”
OK, so this GPO is going to have two directives in it, one for PolicyPak and the next one for PowerBroker. Let’s go ahead and we’ll dive down under “PolicyPak/Applications/New/Application,” and we’ll pick “PolicyPak for Acrobat Reader X.” We’ll go ahead and select that.
We’ll also go that “Security (Enhanced),” and we’re going to make sure that it, in fact, is checked. We’re going to be delivering a checkbox. An underline and a check means we deliver that setting, so we’re going to deliver that checkbox. While we’re here, we’re going to also right click and again "Disable corresponding control in target application"so a user can’t work around that.
Let’s go over to “Updater” here as well. Now if we wanted to in PolicyPak, we could as well "Hide corresponding control in target application"or "Disable corresponding control in target application."We could make it so that a user can’t use this radio button and make it so that they can change these settings.
But if you’re using PowerBroker Desktops, you probably want them to be able to do that, so we’re not going to do that. But what we can do is we can set a default value for them. For instance, you might want a default value for your whole enterprise to “Do not download or install updates automatically.”
For maybe the majority of your people, you want to be in control of when Acrobat Reader updates. But maybe for some people, you want to engage with PowerBroker to allow users to change that. So we’re going to go ahead and set the default here. I’m going to go ahead and click “OK,” and I’ve locked and loaded that directive in.
Let’s go ahead and we’ll run GPUpdate here. By running “gpupdate,” we’re going to get the latest, greatest settings. We just ride the light of Group Policy, and we’re going to get those settings here. Alright, Group Policy is updating here, and we’ll go ahead and rerun “Adobe Reader X.”
We’ll go over to “Security (Enhanced),” and sure enough we’ve forced the checkbox on and we’ve made it so the user can’t screw it up. We’re guaranteeing the security there as well.
Now if we go to “Updater” here, look at that. PolicyPak has delivered the setting “Do not download or install updates automatically.” That is super cool for the majority case, but if you wanted to using PowerBroker you could set it up so that when a user clicks “OK” here they don’t get the UAC prompt anymore. That is where PowerBroker fits perfectly with PolicyPak.
Let me go ahead and do that. I’m going to go ahead and close that. I’ll close this here too. I’ll switch gears back over to my management station. Back here over on my management station, I have the PowerBroker snap-in already loaded. It loads just perfectly alongside PolicyPak.
To create the PowerBroker rule, what we’re going to do is dive down under “Policies/BeyondTrust/PowerBroker Desktops.” To save a little time here, I’ve actuallypre-created the PowerBroker rule here that I need. I’ve got one for Acrobat right here. I’m just going to drag and drop it, and there we go. I’ve created the rule I need here.
Now that we’ve got PowerBroker rule engaged, now a user with the rights is now going to automatically be able to do whatever they want. So we’re going to “Automatically install updates” here for this particular user, grant them the right to do that. With PowerBroker engaged, when we click “OK” no more User Account Control popup. That is the perfect marriage between PolicyPak and BeyondTrust PowerBroker Desktops Windows Edition, again, formerly known as Privilege Manager.
That’s example number one. For my second example, what I want to do is show you a very interesting website. It’s called “www.testmycam.com.” You can see here that, again, I’m a regular user. I am “EastSalesUser1.” They can click on “Allow” and get immediate access to the camera. Here I am right here on camera.
You do not want to expose your company to this hole. Again, just because you have PowerBroker Desktops Windows Edition doesn’t somehow mean you’re magically more secure over this particular problem.
What we’re going to do is we’re going to deliver the settings using PolicyPak but still enable the user to download the updated Flash Player if that’s what you want to do. Let’s go ahead and deliver those settings first, again using PolicyPak.
What we’re going to do is we’re going to dive down. We’ll “Create a GPO” here called “Manage Flash Player Using Group Policy – PolicyPak and PowerBroker.”Notice how I’m tying these both into the same GPO, because to me that makes the most sense. You’re managing the application on the one hand using PolicyPak, and you’re elevating the rights using PowerBroker.
With PolicyPak, we’ll dive down, go to “PolicyPak/Applications/New/Application” and we’ll pick “PolicyPak for Flash Player.” There are a lot of settings here, and I have a whole video just for this one. We’ll just talk about the “Cameras and Mic and Privacy” ones. We’re going to “Block all sites from using the camera and microphone.”
Since we’re also here, we’re going to right click and also "Disable corresponding control in target application."So the user can’t work around this setting. That’s what PolicyPak does. It delivers settings and locks them down.
When we talk about “Advanced” here, when the user’s running as a standard user, you probably don’t want them to get into this “Trusted Locations Settings…,”because it in practical terms allows them to bypass these important websites and act as an admin. We don’t want to do that, so we’re going to right click and literally "Hide corresponding control in target application." We’re going to remove the button entirely.
For “Updates,” again, you have some choices here. If you want to “Never check for updates,”maybe you want to do that on a global level like I’m about to do. I’m going to “Never check for updates,” but I’ll leave this “Check Now” button. You’ll see why in a second. I’ll go ahead and "Disable corresponding control in target application"here as well.
So I’m disabling the radio button. I’m leaving the “Check Now” button. Then I’m also going to remove the “Trusted Locations Settings…” button. I’m literally going to remove that guy.While I’m here as well, under “Playback” just for fun I’ll right click and "Disable whole tab in target application,"a new thing I haven’t shown you yet.
Now I’ve switched gears over to my client machine. Let’s go ahead and run “gpupdate” again on my machine, or I could log off and log back on, or I could wait a little while, or I could get a new machine or use a different VDI session. All of these things will cause Group Policy to update.
As soon as we do that, let’s go ahead and rerun the webpage. We’ll go to “www.testmycam.com.” Because Group Policy and PolicyPak has delivered that setting, you don’t see a picture of me.
If I right click over and go to “Global settings…” here and click “Allow,”as a standard user now if I click on “Camera and Mic,” you can see that it in fact does “Block all sites from using the camera and microphone.” That’s exactly what we wanted it to do. The UI doesn’t show you that, but it is in fact doing that underneath the hood.
If we click on “Advanced” here, we said that at a global level we never want to check for updates, and that is in fact what’s going on. Again, the UI here in Flash Player doesn’t show that, but it is in fact doing that.
We’ll get to this “Check Now” button in a second, but look at “Developer Tools.” That button that was there under “Developer Tools,” it’s gone. So, again, just having PowerBroker Desktops Windows Edition doesn’t somehow magically make you more secure over this particular problem of users working around your settings.
Now let’s talk about how PowerBroker Desktops Windows Edition can fit into this particular scenario. If you want the user to click “Check Now,” that’s great. Go ahead and click “Check Now.” Advanced users can get to this place of Flash Player here. If they want to, they can go to the “Player Download Center” and go ahead and click “Download now.”
Now you know what’s going to happen right now. As a standard user, what happens? If they click on “Save” – I’ll just click on “Save” for now – and then click “Run,”of course we’re going to get the UAC prompt. Why? Because we’re just running as a standard user, and a standard user doesn’t have the access rights in order to install this software. No problem. That is what PowerBroker Desktops Windows Edition does to adjust for that.
I’m going to close this out. Actually, I can leave that open. It doesn’t matter. I’ll go ahead and go back to my Group Policy editor here. I happen to have a preconfigured rule for this scenario. Down under “Policies/BeyondTrust/PowerBroker Desktops” I’ve got a rule for Flash. I’m going to drag and drop that right here. I’m going to import that, and that’s it.
Let me go back over to my user machine here. The very next time I try to click “Run” here, we shouldn’t see the UAC prompt anymore. We should automatically just sail through and be able to install. Let’s go ahead and check that now. Alright here, so let me go ahead and get rid of that.
I’ll refresh this page here, see if I can get it to run here. I guess I have it in downloads here, “View downloads.” I’ll go ahead and rerun this now. Remember before I got the UAC prompt. Now that the PowerBroker Desktops Windows Edition rule is in place, I can go ahead and click “Run” and no UAC prompt.
So the whole point is this better together story. PolicyPak delivers and locks down the settings you need, and PowerBroker Desktops Windows Edition can elevate the rights when needed for situations like this – a real, true better together story.
Alright, I’ve got one more cool one to show you that I think is really nice. I’ll go ahead and close that out here. Again, I’m a standard user. Let me show you something neat, which is under “Control Panel.” I’m sure you’ve seen this before, but click on “Region and Language” options.
Now there are a lot of settings for users to screw up here as well. There’s this “Additional settings…” thing in here that users can get to. There’s “Location” and “Keyboards and Languages” and “Administration” functions.
As you might expect, if you were to click on this thing with a UAC prompt next to it as a standard user, you’re going to get a UAC prompt. Exactly right. If this part of the world, “Region and Language,” is important for a particular subset of users to be able to get to, that is what PowerBroker Desktops can help you to do. It can eliminate those UAC prompts.
Now what PolicyPak is going to do is we’re going to deliver the settings for this application. I just happen to be using “Region and Language” as an application. If you had some bigger, badder application or a homegrown app or anything like that, PolicyPak’s job is to deliver those settings. An application like PowerBroker Desktops Windows Edition is going to help you eliminate the UAC prompts.
Let’s see the nice one-two punch all together. The first thing I want to do is let me close that out. Let me “Create a GPO” called “Manage Regional Options using PolicyPak and Powerbroker.”
The first thing that I want to do is click “Edit…” here and go to “PolicyPak/Applications/New/Application.” I created this one from scratch. It took me about five minutes using the PolicyPak Design Studio to create one for this application. It’s called “PolicyPak for Region and Language” here.
I’m going to make some key settings in here. I’m going to deliver the “First day of week” is going to be a “Tuesday.” I know it’s a little weird, but we also want to lock this setting down. We’re going to right click and "Disable corresponding control in target application."
While we’re here, remember that “Additional settings” tab that came up when we clicked on this “Additional settings…” button? Let’s just remove that whole thing. Let’s just make it so a user can’t even get to it. We’re going to "Hide corresponding control in target application."Cool.
So we’ve delivered those settings right here. Set it as “Tuesday,” removed that button. For that “Keyboards and Languages” stuff here, maybe we don’t want users to “Install/uninstall languages.” So we’ll go ahead and right click over that and also "Disable corresponding control in target application,"but we want to leave that stuff under “Administrative” there for users to get to. We’ll go ahead and click “OK.”
We can also create a PowerBroker rule for this. If we dive down under “Policies/BeyondTrust/PowerBroker Desktops,” there are a couple ways to do this. Actually I’m going to “Create New Rule…” here. Then I’m going to use what’s called a “Path Rule.” Under “Path:” I’m going to pick “Windows 7,” specifically the “Regional and Language Options.” I’m just going to go ahead and “Select” and say “Yes.” I have that extra thing I need to click, and click “OK.”
Now that that is locked and loaded in there, that’s all I’ve got to do. I’ve got the PolicyPak settings here for “Region and Language.” I’ve got the PowerBroker Desktops settings for Region and Language here. In one fell swoop, I’m going to run “gpupdate,” and we’re going to take care of our problems all at once.
Alright, so let’s go ahead and type in “regional,” again “Region and Language” here. Look at what we’ve got. PolicyPak has delivered the setting for “First day of week” of “Tuesday.” Again, a regular user can’t work around it. Even though PowerBroker has elevated this whole application, even an elevated administrator can’t work around it. That’s pretty important and amazing.
If we click on “Keyboards and Languages,” hey look at that. We’ve blocked even an administrative user from getting into a setting that technically PowerBroker would allow them to get to, but we’ve ensured that the user can’t get to it.
If we click on “Administrative” here and we click on “Copy settings…,”remember what we saw earlier? It was a UAC prompt thing. Now that we’re going to click on the button and because PowerBroker is engaged and we’ve elevated Region and Language settings, what should happen? Let’s click on it now and find out. It goes right through just the way we expected.
That’s the whole point. PolicyPak will deliver the settings you want to your applications. It doesn’t matter if you’re running as a standard user or as an administrator. It will deliver those settings to your applications. A privilege management tool like PowerBroker Desktops Windows Edition can make it so that when a user has a User Account Control event that they can sail right through and get the rights that they need based on their criteria.
It’s a real beautiful thing. PolicyPak plus PowerBroker Desktops Windows Edition gives you the maximum security regarding your applications on Windows desktops.
I hope that makes sense for you. When you’re ready to test out PolicyPak, we’re here for you. Just click on the big old download button on the right or the Webinar button, or just pick up the phone and make contact. We can get you the bits right away and you can try this out in your test lab.
Thanks so much, and happy locking things down.