Privilege Guard’s UAC Replacement Extends to MSI Packages
For quite some time we have supported Windows Installer packages, empowering standard users to run MSI's, MSU's and MSP's that would require administrator privileges to complete. This functionality is fundamental in most least privilege deployments, where power users are delegated the privilege of choosing their own productivity tools.
We worked closely with our customers to understand how we can improve this offering, and came up with some additional use cases. We listened, and we delivered a much better user experience in 3.8.
Target the privilege, not just the binary
With other types of application, we have long been able to target those which specifically require elevated privileges, and only assign admin rights if the application would result in a UAC prompt. And in version 3.8, we extended this support to MSI packages.
Using the UAC rule in combination with any other matching criteria, you can now target and elevate MSI packages which need to be elevated, and leave those that don't, to run with default privileges.
Privilege Guard is the only solution that offers full support for UAC replacement, now also including MSI packages.
Add AND remove…
One of THE most important aspects of a least privilege migration is giving users an improved experience, or at least giving them the same experience. User acceptance can make or break a project. Fail to meet the users expectations, no matter how good the project is for IT, then it is doomed to fail as admin accounts creep back into disgruntled employee's. So the littlest improvements that help achieve the balance of policy and experience can go a long way in terms of overall success.
Today's end user is comfortable with using the Windows Programs and Features control panel to remove software they once installed. So making them use alternatives in the way of utilities as a replacement is never going to go down well.
This is why, in Privilege Guard 3.8, we have added support for policy elevation of MSI uninstalls through Programs and Features. No additional rules need to be configured, and no alternative tools are required. Users can now be empowered to remove the software they are authorized to install, in a way they are familiar with. A completely seamless experience through Windows Programs and Features.
Privilege Guard is the only solution that allows standard users to uninstall MSI packages through the native, and familiar Programs and Features control panel.
So that sums up the enhancements we made to MSI support. Enhancements that make MSI management much easier for IT admins, and deliver a much better experience to end users.
Edit: Privilege Guard has now evolved into the brand new security suite, Defendpoint, which encompasses Privilege Management, Application Control and Sandboxing. For more information, please visit www.avecto.com/defendpoint.
Kris Zentek, Senior Product Manager
Kris Zentek is a Senior Product Manager at BeyondTrust, focusing on Endpoint Privilege Management solutions. Based in the UK, he has over 20 years of experience working in the cybersecurity industry.