Moving all of my end users out of the ‘Administrators’ group is a security no-brainer. But with legacy apps that need admin rights and a stack of productivity obstacles it simply wasn’t feasible. With Protection Manager, we can do it, and it works. This product gives the control back to the administrator on a whole new level."

Robert Guidarini IT Manager • Clear Channel Communications

Your Windows network is vulnerable to attack from malicious code, end users with greater administrative privileges than necessary, and unregulated software installation and use. However, Microsoft’s native privilege management requires an all-or-nothing approach when it comes to granting privileges to users, and that inflexibility coupled with the fact that some mission critical applications require Administrative privileges to run leaves many enterprises in an uncomfortable position.

Winternals’ Protection Manager gives an enterprise the ability to secure its Windows infrastructure by creating a least privilege environment in which users have only the privileges needed to do their jobs efficiently. Users are authorized or prohibited from running an application based on one of four security levels: Allow, Run with Administrative Privileges, Run as Limited User, or Deny.

How Protection Manager works

Four Security Levels

Security levels are a flexible way to allocate contextually appropriate levels of administrative privilege to your users, eliminating the need for users to run with an Administrator account just because they have to access one legacy application that requires it. The four Security Levels are:

Allow 
The application is on an approved list.

Run with Administrative Privileges 
The user can run that application (and only that application) as an Administrator. This is important when your enterprise relies on legacy applications that require Administrative privileges to run.

Run as Limited User
The executable will run with Limited User privileges, in the user’s context, reducing the vulnerability of high-risk applications like Internet Explorer and Office.

Deny
The application will not execute.

SmartStop™ and SmartRun™

SmartStop™ monitors the creation of all processes on a system, intercepting denied applications before they can run. SmartRun™ allows applications to run in a different security context from the logged-on user, permitting users to run as users while accessing applications that require administrative privilege.

Run-time Requests for Permission

When a user tries to run an application not on the approved list of trusted applications, a dialogue box appears informing him or her that the application will not run, and allowing the user to explain why it’s necessary. The request is sent automatically to the Delegator for that Role, who can approve or deny very quickly. This makes the process far more responsive, and thus more likely to be accepted across the organization. It also minimizes the impact on productivity by allowing users to immediately request permission to run necessary business applications.

Ease of Administration Translates to Scalability

The administrator can use Protection Manager’s central console to create and maintain definition of Roles and to delegate approval of unknown applications within the IT department, maintaining security while making Protection Manager scalable into even the largest IT shops.

Multiple Application Identification Methods

Protection Manager permits you to select applications from the Application Browser by digital signature, hash, path, or file owner. This allows you to find applications central to business quickly and easily, through whatever method makes sense for your organization.

Application Browser

The Application Browser offers a simple, familiar interface for viewing harvested applications, and gives you the ability sort and filter them to accommodate your needs. It’s simple to add applications from the Browser to File Sets, and Protection Manager even allows you to drag and drop from the Browser into a File Set.

Deployment Modes

Protection Manager’s deployment is designed for maximum flexibility and acceptance. After installing Protection Manager and deploying the client, the next step is a system-wide reconnaissance done unobtrusively in the background. In Silent Mode, Administrators harvest the applications in use, and then view them in the Application Browser where they can be sorted and filtered. Then they create File Sets for each managed Role. Applications already in use in the organization have already been explored, evaluated, and approved or denied by the time the user is even aware of the process during Interactive Deployment Mode.

When you switch into Enforced Mode, users are already ‘trained’ in the process of requesting applications, and since you’ve already evaluated what they use every day, there should be no unpleasant access problems that impact their productivity.

Active Directory Integration

Protection Manager offers Winternals’ customary tight integration with Active Directory, while freeing you from the need to use Group Policy. This combination eases deployment and administration of Protection Manager.

Support for All 32-bit Windows Versions

Protection Manager seamlessly supports your entire 32-bit Windows infrastructure.

Compliance

Administrators now have a wide range of compliance issues to manage, from HIPAA to Sarbanes-Oxley and beyond. An important part of that duty lies in managing access to restricted files. In enterprises where a sizeable percentage of users are running unnecessarily as Administrators, you have a serious compliance issue if anything goes wrong and triggers an investigation. Protection Manager helps to eliminate that security risk, both by limiting users’ privileges and by prohibiting the execution of malicious applications, which could include spyware that could compromise legally protected data.