As you all know we just released Privilege Authority 2.0 this week. It can be downloaded from http://www.scriptlogic.com/products/privilegeauthority/. Users can draw lot of value from Privilege Authority through its rules that enable a domain administrator to selectively elevate privileges for users while ensuring the security of the infrastructure. So our priority is to help the Privilege Authority Community build a comprehensive set of highly needed rules that can in turn be used by the community. Essentially support the idea of Content(Rules) By the Community for the Community.
As a first step we got together with Senior IT Infrastructure Manager, highly experienced Engineers and Architects to identify some of the applications a typical user tries to install and execute which require administrative permissions. It resulted in the following list of ideas that the community can leverage to build potential rules with.
The items that tend to generate the most trouble and resource time for the helpdesk are the web requirements (Java and Flash) both in install and update as well as some of the free consumer applications. They typically are
Web Requirements and Applications:
- Java Updater
- Java Installer
- Adobe Updater
- Adobe Flash Player Installer
- Google Earth
- Google Picasa
- Microsoft Live Essentials
- Firefox (Can actually install without rights but will not place files in c:\program files)
- Chrome
- Skype
- Google Desktop
- All IM clients (AIM, MSN, Yahoo, Google Talk, Trillian, etc…)
- Real Player
- iTunes (Very Popular application)
- Quicktime
- Browser Tool bars (Google, Yahoo, Bing)
- Brower Plugins (Java, Flash, Shockwave, Silverlight)
- Malwarebytes Anti-Malware & Spybot - Search & Destroy
- CCleaner
- Free PDF creation tools like PrimoPDF
- Adobe Acrobat Reader (plus ability to have it preform its own updates)
Business Applications/Utilities
- Microsoft Office
- SalesForce plugin Installer (for Outlook)
- Printer Debugger Launcher
- VMWARE ESX Console
- VMWARE Workstation
- VMWARE Player
Social Networking
- Social connectors for Outlook (facebook and linkedin)
- Lync / Communicator Chat Client
Some additional ideas for Potential Rules:
- Ability to change Time Zone Only
- Ability to change Time Only
- Ability to use IPCONFIG for everyone
- Ability to use GPUPDATE as local admin to force computer refresh
- Explorer rule with access to a specific folder such as those under Program Files
- Registry rule to allow access to a specific key
- Rule to manipulate a specific service (stop, start, etc..)
- Generic batch file running as admin (could add list of arguments in comments to limit the child processes)
- VB Script rule (WScript.exe plus path to arguments)
- Generic local policy that allows changing of a specific policy such as point and print restrictions
Note that the community members can use these ideas for participating in the “Making all the Rules” Challenge announced by ScriptLogic. The Details are of the challenge are available at http://privilegeforum.scriptlogic.com/Making-all-the-Rules-Challenge.aspx
As a follow up we are planning to post a set of guidelines one should follow while creating Rules so they can be easily exchanged among community members. Keeping with the spirit of “By the Community for the Community” these guidelines are to be treated as initial proposal with further updates expected based on community suggestions.
Looking forward to the community feedback on this posting. Feel free to post the Topics, Rules and various aspects of Privilege Authority that are important for you on the community site. It will help us support the Community efforts.
Avinash Kodey
Director of Product Management,
ScriptLogic Corporation