Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

10 Reasons to use Privilege Guard over UAC

October 20, 2017

  • Blog
  • Archive

As many organizations look to migrate to Windows 7, it is an opportune time to review user privileges. User Account Control (UAC) was introduced by Microsoft in Windows Vista, and it has remained much the same in Windows 7, albeit with a few minor tweaks to its default behavior. Although UAC is a welcome addition to Windows, it really doesn’t provide a corporate solution to least privilege.

Here are 10 reasons why Privilege Guard (Edit: now Defendpoint) provides a more suitable solution for the corporate environment.

1. Policy Driven Approach

UAC is a user driven approach to windows least privilege, in that users make the decision on whether an application should run with administrative rights. Privilege Guard, on the other hand, takes a policy driven approach, where the IT department has complete control over which applications run with administrative rights. It is tightly integrated with Active Directory Group Policy, so no additional backend infrastructure is required to deploy Privilege Guard policies.

2. Standard User Account

UAC requires the user to either logon with a local administrator account or to have access to a local administrator account, which gives the user too much control, leading to deliberate or accidental misuse of these privileges. Privilege Guard enables all users to logon with standard user accounts, as elevated rights are assigned directly to the applications that require them, without the user requiring access to a local administrator account.

3. Granular Privilege Control

UAC can only assign full administrative rights to an application, whereas Privilege Guard can assign granular privileges to individual applications, including, but not limited to, full administrative rights. With Privilege Guard, custom access tokens may be defined, enabling granular control over the groups, privileges and integrity level within an access token.

4. Privilege Inheritance

Once an application is assigned administrative rights with UAC, all child processes of that application will automatically inherit those rights, and there is no way to override this behavior. In Privilege Guard, privilege inheritance may be defined on a per application basis, ensuring privileges are only inherited where it is absolutely necessary. In addition, Privilege Guard will force standard user rights on the common file dialog that many applications utilize to allow a user to open or save files. This dialog has full explorer capabilities, so it is important to revoke administrative rights from this dialog, to ensure that deliberate or inadvertent modification of files in restricted operating system and application directories is not possible.

5. On Demand Elevation

Although UAC does provide an on demand elevation facility through the “Run as administrator” shell context menu, the requirement for a user to have an administrator password makes this facility inappropriate for most corporate users, with the exception of real system administrators. Privilege Guard enables a custom shell menu item to be defined, which may be applied to all or selected applications. This on demand facility functions under a standard user account, without the need for an administrator password. In addition, the user may be prompted with a custom message and optionally be asked to provide a reason for their actions, which is audited. Users can also be forced to re-authenticate before elevating an application, providing an extra level of security and discouraging a nonchalant attitude.

6. Application Support

UAC may be invoked for executables and installer packages, either because an application is deemed to require administrative rights, or the user has launched the application via “Run as administrator”. In addition to executables and installers, Privilege Guard can also manage the privileges assigned to individual scripts, including batch files, WSH scripts and PowerShell scripts. For more advanced users, Privilege Guard can elevate management console snap-ins, without giving the user elevated rights over the entire MMC. Privilege Guard can also handle the installation of authorized ActiveX controls.

7. Auditing

An important aspect of Privilege Guard is the ability to provide a comprehensive audit trail of each user’s actions. This audit trail may be vital to satisfy regulatory or internal compliance initiatives. Privilege Guard logs detailed application and policy information, including the end user’s reason for elevating an application, where applicable.

8. Privilege Monitoring

Privilege Guard includes a privilege monitoring capability, which may be used to discover any applications that require elevated rights to function. This capability is often used in the pilot phase of a least privilege project to identify the applications that need administrative rights to run. Once identified, applications may then be added to Privilege Guard policies, enabling these applications to function under a standard user account, without the need for user intervention. Privilege Monitoring may also be used in a live environment to provide application forensics of all privileged operations, including details of access to the file system, registry, kernel objects and interaction with system services.

9. Custom End User Messaging

The end user experience is often over-looked, and yet this can be crucial if a least privilege environment is to be accepted by the user community. Unlike UAC, which shows a fixed message, Privilege Guard provides a fully customizable messaging facility, enabling any number of custom messages to be defined. The IT department has full control over when a message should be displayed, whether a user should be forced to re-authenticate and whether they should be asked to provide a reason for their actions. All of the text in these messages may be customized, including full multi-lingual support. It is also possible to block a user from running a privileged or unauthorized application, and in this scenario the user can be provided with the ability to email a request to the help desk to run the blocked application.

10. Supported Platforms

Although many organizations are looking to make the move to Windows 7, other versions of Windows, such as XP and Vista, will continue to be prevalent for many years. Privilege Guard provides the same capabilities across all Windows platforms, making it possible to implement the same solution in mixed environments, and take the solution forward to during a Windows 7 migration.

Mark Austin

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.